Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Create and access a list of your products
Sign In Create an Account Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

ECS:解決 3.5.x/3.6.x 上的 CVE-2022-31231 安全性漏洞的解決方案

Summary: 解決身分識別和存取管理 (IAM) 模組中的存取控制不當。遠端未驗證的攻擊者可能會利用此漏洞,導致取得未經授權資料的讀取存取權。這會影響所有 ECS 3.5.x.x 和 ECS 3.6.x.x 版本。

This article applies to   This article does not apply to 
Check out resources for

Symptoms

CVE ID:CVE-2022-31231
嚴重程度:中

Cause

身分識別和存取管理 (IAM) 模組中的存取控制不當。

Resolution

應由誰執行此程序?
Dell 要求升級 xDoctor 和安裝修補程式的這個程序由客戶執行。這是最快速、最安全的方法,因為它可避免長時間暴露於此漏洞中。所有步驟詳述在本 KB 中。另外還有一份可遵循的影片指南隨附於此 KB 中,連結位於下方。



程序影響:
當 dataheadsvc 服務按節點逐一重新開機時,預期可能出現 I/O 逾時。應用程式應透過負載平衡器存取叢集,且必須能夠處理 I/O 逾時。執行此程序時建議提供一個維護時段。

僅 CAS 容器 例外情況:
如果系統上的所有儲存器都以 CAS 作為特別標示,則不受此安全性漏洞影響。因此不需要套用修補程式,且不需要遵循此 KB。

命令: svc_bucket list
範例:

admin@ecs-n1:~> svc_bucket list
svc_bucket v1.0.33 (svc_tools v2.5.1)                 Started 2022-07-08 08:49:11

                                                                                                                                       Bucket     Temp
                                                                 Replication         Owner            Owner           API     FS       Versioning Failed
Bucket Name                            Namespace                 Group               User             VDC             Type    Enabled  Enabled    (TSO)

cas_bucket                             region_ns                 RG1                 casuser          VDC1            CAS     false    Disabled   False
cas_bu                                 region_ns                 RG1                 cas_obj          VDC1            CAS     false    Disabled   False
test                                   region_ns                 RG1                 test1            VDC1            CAS     false    Disabled   False
test_cas                               region_ns                 RG1                 test_cas         VDC1            CAS     false    Disabled   False
test_bkt_cas                           region_ns                 RG1                 user_test        VDC1            CAS     false    Disabled   False
Friday_cas                             region_ns                 RG1                 Friday_cas       VDC1            CAS     false    Disabled   False


活動所需時間 (大約):
在服務重新開機之間,每個節點預設會設定 60 秒的延遲時間。虛擬資料中心 (VDC) 中的節點數乘以 60 秒 + 30 分鐘進行準備、服務穩定,以及需要進行後續檢查。

範例:
48 節點 VDC 系統可能需要大約 80 分鐘:
60 秒 X 48 (VDC 節點數) + 30 分鐘 (準備時間) = 大約 80 分鐘。

8 節點 VDC 系統可能需要大約 40 分鐘:
60 秒 X 8 (VDC 節點數) + 30 分鐘 (準備) = 大約 40 分鐘。


常見問題 (FAQ):
問:此修補程式是 xDoctor 版本的一部分嗎?
答:修補程式安裝指令檔是 xDoctor 版本 4.8-84 及更高版本的一部分。下載 xDoctor 和執行修補程式安裝的指示包含在解決步驟中。

:我可以同時更新多個 VDC 嗎?
答:否,一次修補 1 個 VDC。

問:如果我在執行此程序後升級 ECS,要在升級後重新執行此程序嗎?
答:否,如果升級到 DSA-2022-153 中指定的程式碼版本,當中有永久修正程式。是,如果升級至此相同 DSA 中未指定的程式碼版本。

問:修補程式是否需要重新套用在先前在節點更換、重建映像或擴充後安裝的系統上?
答:否,如果 VDC 是在有永久修正的 DSA-2022-153 中指定的程式碼版本。是,如果針對執行此相同 DSA 中未指定的程式碼版本的 VDC 執行上述任何動作。在這些情況下需要修補程式時,相關 Dell 工程師會聯絡您,告知需要該更新

問:如果我只使用舊版使用者而不使用 IAM,該怎麼辦?
答:客戶需要套用該修補程式,無論是否僅使用舊版使用者,而非 IAM。

問:您應該登入哪個使用者來執行此 KB 中的所有命令?
答:系統管理員

問:是否必須在所有機架上執行 svc_patch 或使用其中的 VDC 中有多個機架的專用機器檔案執行?
答:否,系統會自動偵測是否有多個機架存在,並且修補該 VDC 所有機架上全部的節點。

問:我注意到目標 xDoctor 版本不再是 4.8-84.0。為什麼?
答:xDoctor 版本經常推出,因此建議您一律升級至最高的發行版本。但是,如果您先前使用 4.8-84.0 執行修正,則系統會受到完整保護,不受漏洞影響,且不需要重新執行。

解決方法摘要:

  1. 將您的 ECS xDoctor 軟體升級至 4.8-84.0 版或更新版本。
  2. 執行前置檢查。
  3. 使用 xDoctor 隨附的 svc_patch 工具套用系統修補程式。
  4. 確認已套用修正程式。
  5. 故障診斷。

解決方案步驟:

  1. 將您的 ECS xDoctor 軟體升級至最新可用版本。

  1. 檢查系統上執行的 xDoctor 版本。如果版本為 4.8-84.0 或更新版本,請移至步驟 2「執行前置檢查」。否則,請繼續執行下列步驟。
命令:
# sudo xdoctor --version

範例: 
admin@node1:~> sudo xdoctor --version
4.8-84.0
  1. 登入 Dell 支援網站,直接連線至此下載連結,使用關鍵字搜尋列搜尋 xDoctor,然後按一下 xDoctor 4.8-84.0 RPM 連結以下載。如果您想要檢視版本資訊,請依照版本資訊指示,從提供下載的側邊欄選取手冊和文件。
  2. 下載 RPM 後,請使用任何遠端 SCP 程式將檔案上傳至第一個 ECS 節點上的 /home/admin 目錄。
  3. 上傳完成後,請使用管理員將 SSH 連接至 ECS 系統的第一個節點。
  4. 使用新發佈的版本升級所有節點上的 xDoctor。 
命令:
# sudo xdoctor --upgrade --local=/home/admin/xDoctor4ECS-4.8-84.0.noarch.rpm
 
範例: 
admin@ecs-n1:~> sudo xdoctor --upgrade --local=/home/admin/xDoctor4ECS-4.8-84.0.noarch.rpm
2022-07-04 07:41:49,209: xDoctor_4.8-83.0 - INFO    : xDoctor Upgrader Instance (1:SFTP_ONLY)
2022-07-04 07:41:49,210: xDoctor_4.8-83.0 - INFO    : Local Upgrade (/home/admin/xDoctor4ECS-4.8-84.0.noarch.rpm)
2022-07-04 07:41:49,226: xDoctor_4.8-83.0 - INFO    : Current Installed xDoctor version is 4.8-83.0
2022-07-04 07:41:49,242: xDoctor_4.8-83.0 - INFO    : Requested package version is 4.8-84.0
2022-07-04 07:41:49,242: xDoctor_4.8-83.0 - INFO    : Updating xDoctor RPM Package (RPM)
2022-07-04 07:41:49,293: xDoctor_4.8-83.0 - INFO    :  - Distribute package
2022-07-04 07:41:50,759: xDoctor_4.8-83.0 - INFO    :  - Install new rpm package
2022-07-04 07:42:04,401: xDoctor_4.8-83.0 - INFO    : xDoctor successfully updated to version 4.8-84.0
  1. 如果環境是多機架 VDC,則必須在每個機架的第一個節點上安裝新的 xDoctor 套件。若要識別這些機架主體,請執行下列命令。在此例項中,有四個機架,因此會醒目提示四個機架主體
  1. 尋找機架主要節點
命令:
# svc_exec -m "ip address show private.4 |grep -w inet"

範例: 
admin@ecsnode1~> svc_exec -m "ip address show private.4 |grep -w inet"
svc_exec v1.0.2 (svc_tools v2.1.0)                 Started 2021-12-20 14:03:33
 
Output from node: r1n1                                retval: 0
    inet 169.254.1.1/16 brd 169.254.255.255 scope global private.4
 
Output from node: r2n1                                retval: 0
    inet 169.254.2.1/16 brd 169.254.255.255 scope global private.4
 
Output from node: r3n1                                retval: 0
    inet 169.254.3.1/16 brd 169.254.255.255 scope global private.4
 
Output from node: r4n1                                retval: 0
    inet 169.254.4.1/16 brd 169.254.255.255 scope global private.4
  1. 將套件從系統的第一個節點 (R1N1) 複製到下列其他機架主體:
範例: 
admin@ecs-n1:  scp xDoctor4ECS-4.8-84.0.noarch.rpm 169.254.2.1:/home/admin/
xDoctor4ECS-4.8-84.0.noarch.rpm                                                                                                                        100%   32MB  31.9MB/s   00:00
admin@ecsnode1~> scp xDoctor4ECS-4.8-84.0.noarch.rpm 169.254.3.1:/home/admin/
xDoctor4ECS-4.8-84.0.noarch.rpm                                                                                                                        100%   32MB  31.9MB/s   00:00
admin@ecsnode1~> scp xDoctor4ECS-4.8-784.0.noarch.rpm 169.254.4.1:/home/admin/
xDoctor4ECS-4.8-84.0.noarch.rpm                                                                                                                        100%   32MB  31.9MB/s   00:00
admin@ecsnode1~>
  1. 根據上述步驟 1,在先前識別的上述每個機架主體上執行相同的 xDoctor 安裝命令。 
命令:
# sudo xdoctor --upgrade --local=/home/admin/xDoctor4ECS-4.8-84.0.noarch.rpm
 
  1. 執行前置檢查
  1. 使用 svc_dt 命令檢查 DT 是否穩定。如果「Unready #」欄顯示 0,則 DT 會保持穩定。如果是,請前往下一個步驟。如果否,請等待 15 分鐘,然後再次檢查。如果 DT 尚未穩定下來,請向 ECS 支援小組開立服務要求。
命令:
# svc_dt check -b
 
範例: 
admin@ecs-n1: svc_dt check -b

svc_dt v1.0.27 (svc_tools v2.4.1)                 Started 2022-06-14 11:34:26

Date                     Total DT       Unknown #      Unready #      RIS Fail #     Dump Fail #    Check type     Time since check   Check successful

2022-06-14 11:34:09      1920           0              0              0              0              AutoCheck      0m 17s             True
2022-06-14 11:32:59      1920           0              0              0              0              AutoCheck      1m 27s             True
2022-06-14 11:31:48      1920           0              0              0              0              AutoCheck      2m 38s             True
2022-06-14 11:30:38      1920           0              0              0              0              AutoCheck      3m 48s             True
2022-06-14 11:29:28      1920           0              0              0              0              AutoCheck      4m 58s             True
2022-06-14 11:28:18      1920           0              0              0              0              AutoCheck      6m 8s              True
2022-06-14 11:27:07      1920           0              0              0              0              AutoCheck      7m 19s             True
2022-06-14 11:25:57      1920           0              0              0              0              AutoCheck      8m 29s             True
2022-06-14 11:24:47      1920           0              0              0              0              AutoCheck      9m 39s             True
2022-06-14 11:23:37      1920           0              0              0              0              AutoCheck      10m 49s            True
  1. 使用 svc_patch 命令驗證所有節點是否處於線上狀態。如果是,請前往下一個步驟。如果否,請調查原因,使它重新連線,然後再次執行檢查。如果無法將節點連線,請向 ECS 支援小組開立服務要求以進行調查。
命令:
#/opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status
 
範例: 
admin@ecs-n1:~> /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status
svc_patch Version 2.9.2

Verifying patch bundle consistency                    DONE
Detecting nodes in current VDC                        DONE
Reading in patch details (1 of 2)                     DONE
Reading in patch details (2 of 2)                     DONE
Validating nodes are online                           DONE
Checking Installed Patches and Dependencies           DONE

Patches/releases currently installed:
        n/a                                      (Base release)

Patches that need to be installed:
        CVE-2022-31231_iam-fix                                  (PatchID: 3525)

Files that need to be installed:
        /opt/storageos/conf/iam.object.properties               (from CVE-2022-31231_iam-fix)
        /opt/storageos/lib/storageos-iam.jar                    (from CVE-2022-31231_iam-fix)

The following services need to be restarted:
        dataheadsvc
 
  1. 使用 xDoctor 隨附的 svc_patch 工具套用系統修補程式。
  1. 執行 svc_patch 命令,輸入「y」,然後在系統提示您安裝修補程式時按下「Enter」鍵。此命令可在任何 ECS 節點上執行。 
命令:
# screen -S patchinstall
# unset TMOUT
# /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch install

範例:
注意:以下輸出中有一個要繼續進行的提示。 
admin@ecs-n1:~> screen -S patchinstall
admin@ecs-n1:~> unset TMOUT
admin@ecs-n1:~> /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch install
svc_patch Version 2.9.2

Verifying patch bundle consistency                    DONE
Detecting nodes in current VDC                        DONE
Reading in patch details (1 of 2)                     DONE
Reading in patch details (2 of 2)                     DONE
Validating nodes are online                           DONE
Checking Installed Patches and Dependencies           DONE

Patches/releases currently installed:
        n/a                                      (Base release)

Patches that will be installed:
        CVE-2022-31231_iam-fix                                  (PatchID: 3525)

Files that will be installed:
        /opt/storageos/conf/iam.object.properties               (from CVE-2022-31231_iam-fix)
        /opt/storageos/lib/storageos-iam.jar                    (from CVE-2022-31231_iam-fix)

The following services will be restarted:
        dataheadsvc

Patch Type:                                                     Standalone
Number of nodes:                                                5
Number of seconds to wait between restarting node services:     60
Check DT status between node service restarts:                  false

Do you wish to continue (y/n)?y


Distributing files to node 169.254.1.1
        Distributing patch installer to node '169.254.1.1'
Distributing files to node 169.254.1.2
        Distributing patch installer to node '169.254.1.2'
Distributing files to node 169.254.1.3
        Distributing patch installer to node '169.254.1.3'
Distributing files to node 169.254.1.4
        Distributing patch installer to node '169.254.1.4'
Distributing files to node 169.254.1.5
        Distributing patch installer to node '169.254.1.5'


Restarting services on 169.254.1.1
        Restarting dataheadsvc
        Waiting 60 seconds for services to stabilize...DONE
Restarting services on 169.254.1.2
        Restarting dataheadsvc
        Waiting 60 seconds for services to stabilize...DONE
Restarting services on 169.254.1.3
        Restarting dataheadsvc
        Waiting 60 seconds for services to stabilize...DONE
Restarting services on 169.254.1.4
        Restarting dataheadsvc
        Waiting 60 seconds for services to stabilize...DONE
Restarting services on 169.254.1.5
        Restarting dataheadsvc
        Waiting 60 seconds for services to stabilize...DONE

Patching complete. 
  1. 根據上述輸出完成修補時,結束畫面工作階段。
範例: 
admin@node1:/> exit
logout

[screen is terminating]
admin@node1:/>
注意:
如果您在執行進行中時意外關閉 PuTTY 工作階段,您可以登入同一個節點並執行以下命令來重新連接:
 
命令:
# screen -ls 
admin@node 1:~> screen -ls
There is a screen on:
        113275.pts-0.ecs-n3     (Detached)
1 Socket in /var/run/uscreens/S-admin.
重新連接至自先前輸出中分離的工作階段 
admin@node1:~> screen -r 113277.pts-0.ecs-n3
 
  1. 確認已套用修正程式。
  1. 以下輸出來自已套用修正的系統。
命令:
#/opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status

範例: 
admin@ecs-n1:~> /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status
svc_patch Version 2.9.2

Verifying patch bundle consistency                    DONE
Detecting nodes in current VDC                        DONE
Reading in patch details (1 of 2)                     DONE
Reading in patch details (2 of 2)                     DONE
Validating nodes are online                           DONE
Checking Installed Patches and Dependencies           DONE

Patches/releases currently installed:
        CVE-2022-31231_iam-fix                   (PatchID: 3525)        Fix for ECS iam vulnerability CVE-2022-31231
        n/a                                      (Base release)

Patches that need to be installed:

        No files need to be installed.


The following services need to be restarted:
        No services need to be restarted.
  1. 以下輸出來自尚未套用修正的系統。
範例:  
admin@ecs-n1:~> /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status
svc_patch Version 2.9.2

Verifying patch bundle consistency                    DONE
Detecting nodes in current VDC                        DONE
Reading in patch details (1 of 2)                     DONE
Reading in patch details (2 of 2)                     DONE
Validating nodes are online                           DONE
Checking Installed Patches and Dependencies           DONE

Patches/releases currently installed:
        n/a                                      (Base release)

Patches that need to be installed:
        CVE-2022-31231_iam-fix                                  (PatchID: 3525)

Files that need to be installed:
        /opt/storageos/conf/iam.object.properties               (from CVE-2022-31231_iam-fix)
        /opt/storageos/lib/storageos-iam.jar                    (from CVE-2022-31231_iam-fix)

The following services need to be restarted:
        dataheadsvc


故障診斷

  1. 進行預先檢查時,修補程式報告以下錯誤。在這種情況下,請聯絡遠端支援人員,該支援人員將為特定環境提供客戶隔離修補程式
範例:  
admin@ecs-n1 /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status
svc_patch Version 2.9.2

Verifying patch bundle consistency                    DONE
Detecting nodes in current VDC                        DONE
Reading in patch details (1 of 2)                     DONE
Reading in patch details (2 of 2)                     DONE
Validating nodes are online                           DONE
Checking Installed Patches and Dependencies           FAILED
Fatal:  Currently installed version of storageos-iam.jar is unknown.
        This likely means that a custom Isolated Patch is installed.
        Please contact your next level of support for further steps, and
        include this information
        Detected md5sum:  6ec26421d426365ecb2a63d8e0f8ee4f
  1. 套用修補程式時無法將主機新增至已知主機的清單。
範例:  
svc_patch Version 2.9.2

Verifying patch bundle consistency                    DONE
Detecting nodes in current VDC                        DONE
Reading in patch details (1 of 2)                     DONE
Reading in patch details (2 of 2)                     DONE
Validating nodes are online                           FAILED

ERROR: Could not execute commands on the object-main container on 169.254.x.x
  Output was 'Failed to add the host to the list of known hosts (/home/admin/.ssh/known_hosts).
:patchtest:'

Patching is unable to continue with unreachable nodes.  To proceed:
 - Resolve problems accessing node(s) from this one.
 - Manually pass a MACHINES file containing the list of working nodes to patch (not recommended).
 - Contact your next level of support for other options or assistance.
解決方案:
原因可能是檔案 /home/admin/.ssh/known_hosts 的使用者是 root,預設為系統管理員。 
 
範例:  
admin@node1:~> ls -l  /home/admin/.ssh/known_hosts
-rw------- 1 root root 1802 Jul 23  2019 /home/admin/.ssh/known_hosts
admin@ecs:~>
 
若要從其他 PuTTY 工作階段中修正問題,請登入報告的節點,然後在使用者所在節點上為根使用者時,使用以下命令在所有報告的節點上將其變更為管理員:

命令:
#  sudo chown admin:users /home/admin/.ssh/known_hosts
 
範例: 
admin@node1:~> sudo chown admin:users /home/admin/.ssh/known_hosts
 現在再重新執行 svc_patch 命令,則應該會通過 
admin@node1:~> /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch install
 
  1. 由於 /home/admin/.ssh/known_hosts 中的主機金鑰不正確,因此無法在 169.254.x.x 的物件主容器上執行命令。
範例: 
svc_patch Version 2.9.2

Verifying patch bundle consistency                    DONE
Detecting nodes in current VDC                        DONE
Reading in patch details (1 of 2)                     DONE
Reading in patch details (2 of 2)                     DONE
Validating nodes are online                           FAILED

ERROR: Could not execute commands on the object-main container on 169.254.x.x
  Output was '@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:RcwOsFj7zPA5p5kSeYovF4UlZTm125nLVeCL1zCqOzc.
Please contact your system administrator.
Add correct host key in /home/admin/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/admin/.ssh/known_hosts:14
You can use following command to remove the offending key:
ssh-keygen -R 169.254.x.x -f /home/admin/.ssh/known_hosts
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
:patchtest:'

Patching is unable to continue with unreachable nodes.  To proceed:
 - Resolve problems accessing node(s) from this one.
 - Manually pass a MACHINES file containing the list of working nodes to patch (not recommended).
 - Contact your next level of support for other options or assistance.
 
解決方案:
請聯絡 ECS 支援以取得解決方案。
 
  1. 預先檢查中使用 xDoctor 版本 4.8-85.0 發行或套用此修補程式時,您可能會收到概述 md5sum 與 svc_base.py 不相符的警示:
# /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status 
svc_patch Version 2.9.3

Verifying patch bundle consistency                    FAILED

Patch bundle consistency check failed - md5sums for one or more files
in the patch bundle were invalid, or files were not found.

svc_patch will attempt to validate files in the patch using MD5SUMS.bundle, which
is bundled with the patch.

Output from md5sum was:
./lib/libs/svc_base.py: FAILED
md5sum: WARNING: 1 computed checksum did NOT match
 
解決方案:
在套用修補程式更新 md5sum 之前,請執行以下命令: 
# sudo sed -i '/svc_base.py/d' /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/MD5SUMS.bundle
# sudo sed -i '/MD5SUMS.bundle/d' /opt/emc/xdoctor/.xdr_chksum