Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Create and access a list of your products
Sign In Create an Account Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

ECS:解决 3.5.x/3.6.x 上的 CVE-2022-31231 安全漏洞的解决方案

Summary: 解决身份和访问管理 (IAM) 模块中的不恰当访问控制。未经身份验证的远程攻击者可能会利用此漏洞,从而获得对未经授权数据的读取权限。这会影响所有 ECS 3.5.x.x 和 ECS 3.6.x.x 版本。

This article applies to   This article does not apply to 
Check out resources for

Symptoms

CVE ID:CVE-2022-31231
严重性级别:中

Cause

身份和访问管理 (IAM) 模块中的不恰当访问控制。

Resolution

谁应该执行此过程?
戴尔要求升级 xDoctor 和安装修补程序的过程由客户完成。这是最快和最安全的方法,因为它可避免长时间暴露于此漏洞。本知识库文章详细介绍了所有步骤。在遵循此知识库文章的同时,您还可以查看视频指南,该视频指南的链接如下。



过程的影响:
当逐个节点重新启动 dataheadsvc 服务时,预计可能会出现 I/O 超时。应用程序应通过负载平衡器访问群集,并且必须能够处理 I/O 超时。执行此过程时,建议使用维护窗口。

仅 CAS 存储桶例外:
如果系统上的所有存储桶都是下面突出显示的 CAS,则该系统不受此安全漏洞的影响。因此,无需应用修补程序,也不必遵循此 KB。

命令:svc_bucket list
示例:

admin@ecs-n1:~> svc_bucket list
svc_bucket v1.0.33 (svc_tools v2.5.1)                 Started 2022-07-08 08:49:11

                                                                                                                                       Bucket     Temp
                                                                 Replication         Owner            Owner           API     FS       Versioning Failed
Bucket Name                            Namespace                 Group               User             VDC             Type    Enabled  Enabled    (TSO)

cas_bucket                             region_ns                 RG1                 casuser          VDC1            CAS     false    Disabled   False
cas_bu                                 region_ns                 RG1                 cas_obj          VDC1            CAS     false    Disabled   False
test                                   region_ns                 RG1                 test1            VDC1            CAS     false    Disabled   False
test_cas                               region_ns                 RG1                 test_cas         VDC1            CAS     false    Disabled   False
test_bkt_cas                           region_ns                 RG1                 user_test        VDC1            CAS     false    Disabled   False
Friday_cas                             region_ns                 RG1                 Friday_cas       VDC1            CAS     false    Disabled   False


活动需要的时间(大约):
默认情况下,在服务重新启动之间为每个节点设置 60 秒的延迟。虚拟数据中心 (VDC) 中的节点数乘以 60 秒 + 30 分钟(需要的准备、服务稳定和后期检查)。

示例:
48 个节点的 VDC 系统可能需要大约 80 分钟:
60 秒 X 48(VDC 节点数)+ 30 分钟(准备)= 约 80 分钟。

8 个节点的 VDC 系统可能需要大约 40 分钟:
60 秒 X 8(VDC 节点数)+ 30 分钟(准备)= 约 40 分钟。


常见问题 (FAQ):
问:修补程序是 xDoctor 版本的一部分吗?
答:修补程序安装脚本是 xDoctor 版本 4.8-84 及更高版本的一部分。下载 xDoctor 和执行修补程序安装的说明在解决方案步骤中。

问:是否可以并行更新多个 VDC?
答:否,一次在 1 个 VDC 上应用修补程序。

问:如果在运行此过程后升级 ECS,那么是否需要在升级后重新运行此过程?
答:否(如果升级到 DSA-2022-153 中指定的具有永久修复的代码版本)。是(如果升级到此相同 DSA 中未指定的代码版本)。

问:在更换节点、重新映像或扩展之后,是否需要在之前安装修补程序的系统上重新应用该修补程序?
答:否(如果 VDC 是 DSA-2022-153 中指定的具有永久修复的代码版本)。是(如果针对运行此相同 DSA 中未指定的代码版本的 VDC 执行任何这些操作)。如果这些情况需要修补程序,相关戴尔工程师将联系您,以告知需要更新

问:如果我只使用传统用户而不使用 IAM,该怎么办?
答:无论是否仅使用传统用户而不使用 IAM,客户都需要应用修补程序。

问:应该以什么用户身份登录才能执行此知识库文章中的所有命令?
答:管理员

问:svc_patch 是否必须在所有机架上运行或是否必须与专用机器文件一起运行(在 VDC 中有多个机架的情况下)?
答:否(它会自动检测是否存在多个机架,并且在该 VDC 全部机架的所有节点上应用修补程序)。

问:我注意到目标 xDoctor 版本不再是 4.8-84.0。为什么?
答:xDoctor 发布频繁,因此我们始终建议升级到最高发布版本。但是,如果您先前在使用版本 4.8-84.0 时已运行修复,那么系统会得到全面保护,不受漏洞影响,并且无需重新运行。

解决方案摘要:

  1. 将 ECS xDoctor 软件升级到版本 4.8-84.0 或更高版本。
  2. 运行预检查。
  3. 使用 xDoctor 附带的 svc_patch 工具应用系统修补程序。
  4. 确认修复已应用。
  5. 故障处理。

解决方案步骤:

  1. 将 ECS xDoctor 软件升级到可用的最新版本。

  1. 检查系统上运行的 xDoctor 版本。如果版本为 4.8-84.0 或更高版本,请转至步骤 2“运行预检查”。如果不是,请继续执行以下步骤。
命令:
# sudo xdoctor --version

示例: 
admin@node1:~> sudo xdoctor --version
4.8-84.0
  1. 登录戴尔支持网站,直接连接到此下载链接,使用关键字搜索栏搜索 xDoctor,然后单击 xDoctor 4.8-84.0 RPM 链接进行下载。如果您想要查看发行说明,请单击发行说明,在侧边栏中选择手册和文档(它们应该可从侧边栏下载)。
  2. 下载 RPM 后,使用任何远程 SCP 程序,将文件上传到第一个 ECS 节点上的 /home/admin 目录。
  3. 上传完成后,以管理员身份通过 SSH 登录到 ECS 系统的第一个节点。
  4. 使用新分发的版本在所有节点上升级 xDoctor。 
命令:
# sudo xdoctor --upgrade --local=/home/admin/xDoctor4ECS-4.8-84.0.noarch.rpm
 
示例: 
admin@ecs-n1:~> sudo xdoctor --upgrade --local=/home/admin/xDoctor4ECS-4.8-84.0.noarch.rpm
2022-07-04 07:41:49,209: xDoctor_4.8-83.0 - INFO    : xDoctor Upgrader Instance (1:SFTP_ONLY)
2022-07-04 07:41:49,210: xDoctor_4.8-83.0 - INFO    : Local Upgrade (/home/admin/xDoctor4ECS-4.8-84.0.noarch.rpm)
2022-07-04 07:41:49,226: xDoctor_4.8-83.0 - INFO    : Current Installed xDoctor version is 4.8-83.0
2022-07-04 07:41:49,242: xDoctor_4.8-83.0 - INFO    : Requested package version is 4.8-84.0
2022-07-04 07:41:49,242: xDoctor_4.8-83.0 - INFO    : Updating xDoctor RPM Package (RPM)
2022-07-04 07:41:49,293: xDoctor_4.8-83.0 - INFO    :  - Distribute package
2022-07-04 07:41:50,759: xDoctor_4.8-83.0 - INFO    :  - Install new rpm package
2022-07-04 07:42:04,401: xDoctor_4.8-83.0 - INFO    : xDoctor successfully updated to version 4.8-84.0
  1. 如果环境是多机架 VDC,则您必须在每个机架的第一个节点上安装新的 xDoctor 软件包。要确定这些机架主节点,请运行以下命令。在此实例中,有四个机架,因此突出显示了四个机架主节点
  1. 查找机架主节点
命令:
# svc_exec -m "ip address show private.4 |grep -w inet"

示例: 
admin@ecsnode1~> svc_exec -m "ip address show private.4 |grep -w inet"
svc_exec v1.0.2 (svc_tools v2.1.0)                 Started 2021-12-20 14:03:33
 
Output from node: r1n1                                retval: 0
    inet 169.254.1.1/16 brd 169.254.255.255 scope global private.4
 
Output from node: r2n1                                retval: 0
    inet 169.254.2.1/16 brd 169.254.255.255 scope global private.4
 
Output from node: r3n1                                retval: 0
    inet 169.254.3.1/16 brd 169.254.255.255 scope global private.4
 
Output from node: r4n1                                retval: 0
    inet 169.254.4.1/16 brd 169.254.255.255 scope global private.4
  1. 根据以下方面,将软件包从系统的第一个节点 (R1N1) 复制到其他机架主节点:
示例: 
admin@ecs-n1:  scp xDoctor4ECS-4.8-84.0.noarch.rpm 169.254.2.1:/home/admin/
xDoctor4ECS-4.8-84.0.noarch.rpm                                                                                                                        100%   32MB  31.9MB/s   00:00
admin@ecsnode1~> scp xDoctor4ECS-4.8-84.0.noarch.rpm 169.254.3.1:/home/admin/
xDoctor4ECS-4.8-84.0.noarch.rpm                                                                                                                        100%   32MB  31.9MB/s   00:00
admin@ecsnode1~> scp xDoctor4ECS-4.8-784.0.noarch.rpm 169.254.4.1:/home/admin/
xDoctor4ECS-4.8-84.0.noarch.rpm                                                                                                                        100%   32MB  31.9MB/s   00:00
admin@ecsnode1~>
  1. 按照上述步骤 1,在前面确定的上述每个机架主节点上运行相同的 xDoctor 安装命令。 
命令:
# sudo xdoctor --upgrade --local=/home/admin/xDoctor4ECS-4.8-84.0.noarch.rpm
 
  1. 运行预检查
  1. 使用 svc_dt 命令检查 DT 是否稳定。如果“Unready #”列显示 0,则 DT 是稳定的。如果是,请转至下一个检查。如果不是,请等待 15 分钟,然后再次检查。如果 DT 尚未稳定,请向 ECS 支持团队提出服务请求。
命令:
# svc_dt check -b
 
示例: 
admin@ecs-n1: svc_dt check -b

svc_dt v1.0.27 (svc_tools v2.4.1)                 Started 2022-06-14 11:34:26

Date                     Total DT       Unknown #      Unready #      RIS Fail #     Dump Fail #    Check type     Time since check   Check successful

2022-06-14 11:34:09      1920           0              0              0              0              AutoCheck      0m 17s             True
2022-06-14 11:32:59      1920           0              0              0              0              AutoCheck      1m 27s             True
2022-06-14 11:31:48      1920           0              0              0              0              AutoCheck      2m 38s             True
2022-06-14 11:30:38      1920           0              0              0              0              AutoCheck      3m 48s             True
2022-06-14 11:29:28      1920           0              0              0              0              AutoCheck      4m 58s             True
2022-06-14 11:28:18      1920           0              0              0              0              AutoCheck      6m 8s              True
2022-06-14 11:27:07      1920           0              0              0              0              AutoCheck      7m 19s             True
2022-06-14 11:25:57      1920           0              0              0              0              AutoCheck      8m 29s             True
2022-06-14 11:24:47      1920           0              0              0              0              AutoCheck      9m 39s             True
2022-06-14 11:23:37      1920           0              0              0              0              AutoCheck      10m 49s            True
  1. 使用 svc_patch 命令验证所有节点是否处于联机状态。如果是,请转至下一步。如果否,请调查原因,使其重新联机,然后再次运行检查。如果某个节点无法进入联机状态,请向 ECS 支持团队提出服务请求以进行调查。
命令:
#/opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status
 
示例: 
admin@ecs-n1:~> /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status
svc_patch Version 2.9.2

Verifying patch bundle consistency                    DONE
Detecting nodes in current VDC                        DONE
Reading in patch details (1 of 2)                     DONE
Reading in patch details (2 of 2)                     DONE
Validating nodes are online                           DONE
Checking Installed Patches and Dependencies           DONE

Patches/releases currently installed:
        n/a                                      (Base release)

Patches that need to be installed:
        CVE-2022-31231_iam-fix                                  (PatchID: 3525)

Files that need to be installed:
        /opt/storageos/conf/iam.object.properties               (from CVE-2022-31231_iam-fix)
        /opt/storageos/lib/storageos-iam.jar                    (from CVE-2022-31231_iam-fix)

The following services need to be restarted:
        dataheadsvc
 
  1. 使用 xDoctor 附带的 svc_patch 工具应用系统修补程序。
  1. 运行 svc_patch 命令,在出现修补程序安装提示时键入“y”并按“Enter”键。该命令可以在任何 ECS 节点上运行。 
命令:
# screen -S patchinstall
# unset TMOUT
# /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch install

示例:
提醒:下面的输出中会有继续操作的提示。 
admin@ecs-n1:~> screen -S patchinstall
admin@ecs-n1:~> unset TMOUT
admin@ecs-n1:~> /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch install
svc_patch Version 2.9.2

Verifying patch bundle consistency                    DONE
Detecting nodes in current VDC                        DONE
Reading in patch details (1 of 2)                     DONE
Reading in patch details (2 of 2)                     DONE
Validating nodes are online                           DONE
Checking Installed Patches and Dependencies           DONE

Patches/releases currently installed:
        n/a                                      (Base release)

Patches that will be installed:
        CVE-2022-31231_iam-fix                                  (PatchID: 3525)

Files that will be installed:
        /opt/storageos/conf/iam.object.properties               (from CVE-2022-31231_iam-fix)
        /opt/storageos/lib/storageos-iam.jar                    (from CVE-2022-31231_iam-fix)

The following services will be restarted:
        dataheadsvc

Patch Type:                                                     Standalone
Number of nodes:                                                5
Number of seconds to wait between restarting node services:     60
Check DT status between node service restarts:                  false

Do you wish to continue (y/n)?y


Distributing files to node 169.254.1.1
        Distributing patch installer to node '169.254.1.1'
Distributing files to node 169.254.1.2
        Distributing patch installer to node '169.254.1.2'
Distributing files to node 169.254.1.3
        Distributing patch installer to node '169.254.1.3'
Distributing files to node 169.254.1.4
        Distributing patch installer to node '169.254.1.4'
Distributing files to node 169.254.1.5
        Distributing patch installer to node '169.254.1.5'


Restarting services on 169.254.1.1
        Restarting dataheadsvc
        Waiting 60 seconds for services to stabilize...DONE
Restarting services on 169.254.1.2
        Restarting dataheadsvc
        Waiting 60 seconds for services to stabilize...DONE
Restarting services on 169.254.1.3
        Restarting dataheadsvc
        Waiting 60 seconds for services to stabilize...DONE
Restarting services on 169.254.1.4
        Restarting dataheadsvc
        Waiting 60 seconds for services to stabilize...DONE
Restarting services on 169.254.1.5
        Restarting dataheadsvc
        Waiting 60 seconds for services to stabilize...DONE

Patching complete. 
  1. 根据上述输出完成修补后,退出屏幕会话。
示例: 
admin@node1:/> exit
logout

[screen is terminating]
admin@node1:/>
提醒:
如果在执行过程中意外关闭 PuTTY 会话,您可以通过重新登录到同一节点并运行以下命令来重新连接:
 
命令:
# screen -ls 
admin@node 1:~> screen -ls
There is a screen on:
        113275.pts-0.ecs-n3     (Detached)
1 Socket in /var/run/uscreens/S-admin.
从先前的输出重新连接到已断开的会话 
admin@node1:~> screen -r 113277.pts-0.ecs-n3
 
  1. 确认修复已应用。
  1. 下面的输出来自已应用修复的系统。
命令:
#/opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status

示例: 
admin@ecs-n1:~> /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status
svc_patch Version 2.9.2

Verifying patch bundle consistency                    DONE
Detecting nodes in current VDC                        DONE
Reading in patch details (1 of 2)                     DONE
Reading in patch details (2 of 2)                     DONE
Validating nodes are online                           DONE
Checking Installed Patches and Dependencies           DONE

Patches/releases currently installed:
        CVE-2022-31231_iam-fix                   (PatchID: 3525)        Fix for ECS iam vulnerability CVE-2022-31231
        n/a                                      (Base release)

Patches that need to be installed:

        No files need to be installed.


The following services need to be restarted:
        No services need to be restarted.
  1. 下面的输出来自未应用修复的系统。
示例:  
admin@ecs-n1:~> /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status
svc_patch Version 2.9.2

Verifying patch bundle consistency                    DONE
Detecting nodes in current VDC                        DONE
Reading in patch details (1 of 2)                     DONE
Reading in patch details (2 of 2)                     DONE
Validating nodes are online                           DONE
Checking Installed Patches and Dependencies           DONE

Patches/releases currently installed:
        n/a                                      (Base release)

Patches that need to be installed:
        CVE-2022-31231_iam-fix                                  (PatchID: 3525)

Files that need to be installed:
        /opt/storageos/conf/iam.object.properties               (from CVE-2022-31231_iam-fix)
        /opt/storageos/lib/storageos-iam.jar                    (from CVE-2022-31231_iam-fix)

The following services need to be restarted:
        dataheadsvc


故障处理

  1. 执行预检查时,修补程序报告以下错误。在这种情况下,请联系远程支持人员。支持人员将为客户提供特定环境的隔离修补程序
示例:  
admin@ecs-n1 /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status
svc_patch Version 2.9.2

Verifying patch bundle consistency                    DONE
Detecting nodes in current VDC                        DONE
Reading in patch details (1 of 2)                     DONE
Reading in patch details (2 of 2)                     DONE
Validating nodes are online                           DONE
Checking Installed Patches and Dependencies           FAILED
Fatal:  Currently installed version of storageos-iam.jar is unknown.
        This likely means that a custom Isolated Patch is installed.
        Please contact your next level of support for further steps, and
        include this information
        Detected md5sum:  6ec26421d426365ecb2a63d8e0f8ee4f
  1. 应用修补程序时无法将主机添加到已知主机列表。
示例:  
svc_patch Version 2.9.2

Verifying patch bundle consistency                    DONE
Detecting nodes in current VDC                        DONE
Reading in patch details (1 of 2)                     DONE
Reading in patch details (2 of 2)                     DONE
Validating nodes are online                           FAILED

ERROR: Could not execute commands on the object-main container on 169.254.x.x
  Output was 'Failed to add the host to the list of known hosts (/home/admin/.ssh/known_hosts).
:patchtest:'

Patching is unable to continue with unreachable nodes.  To proceed:
 - Resolve problems accessing node(s) from this one.
 - Manually pass a MACHINES file containing the list of working nodes to patch (not recommended).
 - Contact your next level of support for other options or assistance.
解决方案:
原因可能是:文件 /home/admin/.ssh/known_hosts 的用户为 root 用户,而默认情况下这应该是管理员。 
 
示例:  
admin@node1:~> ls -l  /home/admin/.ssh/known_hosts
-rw------- 1 root root 1802 Jul 23  2019 /home/admin/.ssh/known_hosts
admin@ecs:~>
 
要解决另一个 PuTTY 会话中的问题,请登录到报告的一个或多个节点,并在所有报告的节点上使用以下命令,将节点上呈现为 root 用户的用户更改为管理员:

命令:
#  sudo chown admin:users /home/admin/.ssh/known_hosts
 
示例: 
admin@node1:~> sudo chown admin:users /home/admin/.ssh/known_hosts
 现在,再次重新运行 svc_patch 命令,它应该会通过 
admin@node1:~> /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch install
 
  1. 由于 /home/admin/.ssh/known_hosts 中的主机密钥不正确,无法对 169.254.x.x 上的 object-main 容器执行命令。
示例: 
svc_patch Version 2.9.2

Verifying patch bundle consistency                    DONE
Detecting nodes in current VDC                        DONE
Reading in patch details (1 of 2)                     DONE
Reading in patch details (2 of 2)                     DONE
Validating nodes are online                           FAILED

ERROR: Could not execute commands on the object-main container on 169.254.x.x
  Output was '@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:RcwOsFj7zPA5p5kSeYovF4UlZTm125nLVeCL1zCqOzc.
Please contact your system administrator.
Add correct host key in /home/admin/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/admin/.ssh/known_hosts:14
You can use following command to remove the offending key:
ssh-keygen -R 169.254.x.x -f /home/admin/.ssh/known_hosts
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
:patchtest:'

Patching is unable to continue with unreachable nodes.  To proceed:
 - Resolve problems accessing node(s) from this one.
 - Manually pass a MACHINES file containing the list of working nodes to patch (not recommended).
 - Contact your next level of support for other options or assistance.
 
解决方案:
联系 ECS 支持人员以获得解决方案。
 
  1. 预检查中使用 xDoctor 版本 4.8-85.0 或应用此修补程序时,您可能会收到说明 md5sum 与 svc_base.py 不匹配的警报:
# /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status 
svc_patch Version 2.9.3

Verifying patch bundle consistency                    FAILED

Patch bundle consistency check failed - md5sums for one or more files
in the patch bundle were invalid, or files were not found.

svc_patch will attempt to validate files in the patch using MD5SUMS.bundle, which
is bundled with the patch.

Output from md5sum was:
./lib/libs/svc_base.py: FAILED
md5sum: WARNING: 1 computed checksum did NOT match
 
解决方案:
在应用修补程序以更新 md5sum 之前,运行以下命令: 
# sudo sed -i '/svc_base.py/d' /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/MD5SUMS.bundle
# sudo sed -i '/MD5SUMS.bundle/d' /opt/emc/xdoctor/.xdr_chksum