do son 
IBM has released a security bulletin detailing critical vulnerabilities in AIX that could allow remote attackers to execute arbitrary commands. The bulletin addresses two main vulnerabilities: CVE-2024-56346 and CVE-2024-56347.
The first vulnerability, CVE-2024-56346, lies within the IBM AIX nimesis NIM master service. It “could allow a remote attacker to execute arbitrary commands due to improper process controls.” This vulnerability has been assigned a CVSS Base Score of 10, indicating its critical severity.
The second vulnerability, CVE-2024-56347, affects the IBM AIX nimsh service. The “SSL/TLS protection mechanisms could allow a remote attacker to execute arbitrary commands due to improper process controls.” This vulnerability has a CVSS Base Score of 9.6, also signifying a high level of risk.
The vulnerabilities impact AIX versions 7.2 and 7.3. Specifically, the vulnerabilities are being addressed in the following filesets: bos.sysmgt.nim.client, bos.sysmgt.nim.master, and bos.sysmgt.sysbr.
IBM has assigned APARs (Authorized Program Analysis Reports) to address these issues. The specific APARs vary depending on the AIX level. IBM strongly recommends addressing these vulnerabilities immediately and has provided AIX fixes.
The AIX and VIOS fixes can be downloaded via this link. The downloaded file is a tar file containing the signed advisory, fix packages, and OpenSSL signatures for each package. The fixes include prerequisite checking to ensure the correct mapping between the fixes and AIX Technology Levels.
