IBM AIX/VIOS: Package manager opens critical security leak
IBM uses RPM for package management in the AIX/VIOS operating systems. There is a critical security gap in this. Admins must update.
(Image: vectorfusionart/Shutterstock.com)
IBM warns of a critical security vulnerability in the AIX and VIOS operating systems. The vulnerability allows attackers to mess up the memory organization and, due to its severity, probably infiltrate and execute malicious code. IT managers should install the available updates now, the manufacturer urgently advises.
In IBM's security announcement, the developers explain that AIX and VIOS rely on the package manager RPM. This in turn relies on SQLite and includes vulnerable versions before 3.50.2. This contains a security vulnerability that can lead to arbitrary memory access (CVE-2025-6965 / EUVD-2025-21441, CVSS 7.2, risk “high”).
In contrast to the categorization of the SQLite vulnerability, IBM rates the severity as a “critical” risk with a CVSS value of 9.8. AIX 7.2 and 7.3 as well as VIOS 3.1 and 4.1 are affected.
Apply updates quickly
IBM publishes updated RPM filesets that replace the vulnerable versions of “rpm.rte” from 4.15.1.1000 to 4.15.1.1016, 4.15.1.2000 to 4.15.1.2024, and 4.18.1.2000 to 4.18.1.2006. They are available for admins to download after logging in to IBM's website. You can find out whether vulnerable filesets are installed on the system by calling lslpp -L | grep -i rpm.rte.
Videos by heise
IBM also provides a tar archive containing the corrections for RPM. Before importing the updated versions, IBM recommends creating a system backup using mksysb and ensuring that it starts and is readable. The tar xvf rpm_fix4.tar command then unpacks the updates.
The individual AIX and VIOS versions should then be updated with the corresponding archive. Admins can obtain the RPM version for AIX 7.2 TL5 by calling tar xvf rpm_fix4/rpm_41511017.tar, for AIX 7.3 TL1 with tar xvf rpm_fix4/rpm_41512015.tar and for AIX 7.3 TL2, TL3 and VIOS 4.1 with the command tar xvf rpm_fix4/rpm_41812007.tar. This is followed by another call to apply the update. installp -apYd . rpm simulates an installation run, while installp -aXYd . rpm then executes it.
Admins with IBM's AIX and VIOS recently had to plug a security hole. At the end of September, root attacks on the operating systems were possible as a result.
(dmk)
