CVE ID:CVE-2022-31231
严重性级别:中
谁应该执行此过程?
戴尔要求升级 xDoctor 和安装修补程序的过程由客户完成。这是最快和最安全的方法,因为它可避免长时间暴露于此漏洞。本知识库文章详细介绍了所有步骤。在遵循此知识库文章的同时,您还可以查看视频指南,该视频指南的链接如下。
过程的影响:
当逐个节点重新启动 dataheadsvc 服务时,预计可能会出现 I/O 超时。应用程序应通过负载平衡器访问群集,并且必须能够处理 I/O 超时。执行此过程时,建议使用维护窗口。
仅 CAS 存储桶例外:
如果系统上的所有存储桶都是下面突出显示的 CAS,则该系统不受此安全漏洞的影响。因此,无需应用修补程序,也不必遵循此 KB。
命令:svc_bucket list
示例:
admin@ecs-n1:~> svc_bucket list svc_bucket v1.0.33 (svc_tools v2.5.1) Started 2022-07-08 08:49:11 Bucket Temp Replication Owner Owner API FS Versioning Failed Bucket Name Namespace Group User VDC Type Enabled Enabled (TSO) cas_bucket region_ns RG1 casuser VDC1 CAS false Disabled False cas_bu region_ns RG1 cas_obj VDC1 CAS false Disabled False test region_ns RG1 test1 VDC1 CAS false Disabled False test_cas region_ns RG1 test_cas VDC1 CAS false Disabled False test_bkt_cas region_ns RG1 user_test VDC1 CAS false Disabled False Friday_cas region_ns RG1 Friday_cas VDC1 CAS false Disabled False
活动需要的时间(大约):
默认情况下,在服务重新启动之间为每个节点设置 60 秒的延迟。虚拟数据中心 (VDC) 中的节点数乘以 60 秒 + 30 分钟(需要的准备、服务稳定和后期检查)。
示例:
48 个节点的 VDC 系统可能需要大约 80 分钟:
60 秒 X 48(VDC 节点数)+ 30 分钟(准备)= 约 80 分钟。
8 个节点的 VDC 系统可能需要大约 40 分钟:
60 秒 X 8(VDC 节点数)+ 30 分钟(准备)= 约 40 分钟。
常见问题 (FAQ):
问:修补程序是 xDoctor 版本的一部分吗?
答:修补程序安装脚本是 xDoctor 版本 4.8-84 及更高版本的一部分。下载 xDoctor 和执行修补程序安装的说明在解决方案步骤中。
问:是否可以并行更新多个 VDC?
答:否,一次在 1 个 VDC 上应用修补程序。
问:如果在运行此过程后升级 ECS,那么是否需要在升级后重新运行此过程?
答:否(如果升级到 DSA-2022-153 中指定的具有永久修复的代码版本)。是(如果升级到此相同 DSA 中未指定的代码版本)。
问:在更换节点、重新映像或扩展之后,是否需要在之前安装修补程序的系统上重新应用该修补程序?
答:否(如果 VDC 是 DSA-2022-153 中指定的具有永久修复的代码版本)。是(如果针对运行此相同 DSA 中未指定的代码版本的 VDC 执行任何这些操作)。如果这些情况需要修补程序,相关戴尔工程师将联系您,以告知需要更新
问:如果我只使用传统用户而不使用 IAM,该怎么办?
答:无论是否仅使用传统用户而不使用 IAM,客户都需要应用修补程序。
问:应该以什么用户身份登录才能执行此知识库文章中的所有命令?
答:管理员
问:svc_patch 是否必须在所有机架上运行或是否必须与专用机器文件一起运行(在 VDC 中有多个机架的情况下)?
答:否(它会自动检测是否存在多个机架,并且在该 VDC 全部机架的所有节点上应用修补程序)。
问:我注意到目标 xDoctor 版本不再是 4.8-84.0。为什么?
答:xDoctor 发布频繁,因此我们始终建议升级到最高发布版本。但是,如果您先前在使用版本 4.8-84.0 时已运行修复,那么系统会得到全面保护,不受漏洞影响,并且无需重新运行。
解决方案摘要:
将 ECS xDoctor 软件升级到可用的最新版本。
admin@node1:~> sudo xdoctor --version 4.8-84.0
admin@ecs-n1:~> sudo xdoctor --upgrade --local=/home/admin/xDoctor4ECS-4.8-84.0.noarch.rpm 2022-07-04 07:41:49,209: xDoctor_4.8-83.0 - INFO : xDoctor Upgrader Instance (1:SFTP_ONLY) 2022-07-04 07:41:49,210: xDoctor_4.8-83.0 - INFO : Local Upgrade (/home/admin/xDoctor4ECS-4.8-84.0.noarch.rpm) 2022-07-04 07:41:49,226: xDoctor_4.8-83.0 - INFO : Current Installed xDoctor version is 4.8-83.0 2022-07-04 07:41:49,242: xDoctor_4.8-83.0 - INFO : Requested package version is 4.8-84.0 2022-07-04 07:41:49,242: xDoctor_4.8-83.0 - INFO : Updating xDoctor RPM Package (RPM) 2022-07-04 07:41:49,293: xDoctor_4.8-83.0 - INFO : - Distribute package 2022-07-04 07:41:50,759: xDoctor_4.8-83.0 - INFO : - Install new rpm package 2022-07-04 07:42:04,401: xDoctor_4.8-83.0 - INFO : xDoctor successfully updated to version 4.8-84.0
admin@ecsnode1~> svc_exec -m "ip address show private.4 |grep -w inet" svc_exec v1.0.2 (svc_tools v2.1.0) Started 2021-12-20 14:03:33 Output from node: r1n1 retval: 0 inet 169.254.1.1/16 brd 169.254.255.255 scope global private.4 Output from node: r2n1 retval: 0 inet 169.254.2.1/16 brd 169.254.255.255 scope global private.4 Output from node: r3n1 retval: 0 inet 169.254.3.1/16 brd 169.254.255.255 scope global private.4 Output from node: r4n1 retval: 0 inet 169.254.4.1/16 brd 169.254.255.255 scope global private.4
admin@ecs-n1: scp xDoctor4ECS-4.8-84.0.noarch.rpm 169.254.2.1:/home/admin/ xDoctor4ECS-4.8-84.0.noarch.rpm 100% 32MB 31.9MB/s 00:00 admin@ecsnode1~> scp xDoctor4ECS-4.8-84.0.noarch.rpm 169.254.3.1:/home/admin/ xDoctor4ECS-4.8-84.0.noarch.rpm 100% 32MB 31.9MB/s 00:00 admin@ecsnode1~> scp xDoctor4ECS-4.8-784.0.noarch.rpm 169.254.4.1:/home/admin/ xDoctor4ECS-4.8-84.0.noarch.rpm 100% 32MB 31.9MB/s 00:00 admin@ecsnode1~>
admin@ecs-n1: svc_dt check -b svc_dt v1.0.27 (svc_tools v2.4.1) Started 2022-06-14 11:34:26 Date Total DT Unknown # Unready # RIS Fail # Dump Fail # Check type Time since check Check successful 2022-06-14 11:34:09 1920 0 0 0 0 AutoCheck 0m 17s True 2022-06-14 11:32:59 1920 0 0 0 0 AutoCheck 1m 27s True 2022-06-14 11:31:48 1920 0 0 0 0 AutoCheck 2m 38s True 2022-06-14 11:30:38 1920 0 0 0 0 AutoCheck 3m 48s True 2022-06-14 11:29:28 1920 0 0 0 0 AutoCheck 4m 58s True 2022-06-14 11:28:18 1920 0 0 0 0 AutoCheck 6m 8s True 2022-06-14 11:27:07 1920 0 0 0 0 AutoCheck 7m 19s True 2022-06-14 11:25:57 1920 0 0 0 0 AutoCheck 8m 29s True 2022-06-14 11:24:47 1920 0 0 0 0 AutoCheck 9m 39s True 2022-06-14 11:23:37 1920 0 0 0 0 AutoCheck 10m 49s True
admin@ecs-n1:~> /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status svc_patch Version 2.9.2 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online DONE Checking Installed Patches and Dependencies DONE Patches/releases currently installed: n/a (Base release) Patches that need to be installed: CVE-2022-31231_iam-fix (PatchID: 3525) Files that need to be installed: /opt/storageos/conf/iam.object.properties (from CVE-2022-31231_iam-fix) /opt/storageos/lib/storageos-iam.jar (from CVE-2022-31231_iam-fix) The following services need to be restarted: dataheadsvc
admin@ecs-n1:~> screen -S patchinstall admin@ecs-n1:~> unset TMOUT admin@ecs-n1:~> /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch install svc_patch Version 2.9.2 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online DONE Checking Installed Patches and Dependencies DONE Patches/releases currently installed: n/a (Base release) Patches that will be installed: CVE-2022-31231_iam-fix (PatchID: 3525) Files that will be installed: /opt/storageos/conf/iam.object.properties (from CVE-2022-31231_iam-fix) /opt/storageos/lib/storageos-iam.jar (from CVE-2022-31231_iam-fix) The following services will be restarted: dataheadsvc Patch Type: Standalone Number of nodes: 5 Number of seconds to wait between restarting node services: 60 Check DT status between node service restarts: false Do you wish to continue (y/n)?y Distributing files to node 169.254.1.1 Distributing patch installer to node '169.254.1.1' Distributing files to node 169.254.1.2 Distributing patch installer to node '169.254.1.2' Distributing files to node 169.254.1.3 Distributing patch installer to node '169.254.1.3' Distributing files to node 169.254.1.4 Distributing patch installer to node '169.254.1.4' Distributing files to node 169.254.1.5 Distributing patch installer to node '169.254.1.5' Restarting services on 169.254.1.1 Restarting dataheadsvc Waiting 60 seconds for services to stabilize...DONE Restarting services on 169.254.1.2 Restarting dataheadsvc Waiting 60 seconds for services to stabilize...DONE Restarting services on 169.254.1.3 Restarting dataheadsvc Waiting 60 seconds for services to stabilize...DONE Restarting services on 169.254.1.4 Restarting dataheadsvc Waiting 60 seconds for services to stabilize...DONE Restarting services on 169.254.1.5 Restarting dataheadsvc Waiting 60 seconds for services to stabilize...DONE Patching complete.
admin@node1:/> exit logout [screen is terminating] admin@node1:/>
admin@node 1:~> screen -ls There is a screen on: 113275.pts-0.ecs-n3 (Detached) 1 Socket in /var/run/uscreens/S-admin.
admin@node1:~> screen -r 113277.pts-0.ecs-n3
admin@ecs-n1:~> /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status svc_patch Version 2.9.2 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online DONE Checking Installed Patches and Dependencies DONE Patches/releases currently installed: CVE-2022-31231_iam-fix (PatchID: 3525) Fix for ECS iam vulnerability CVE-2022-31231 n/a (Base release) Patches that need to be installed: No files need to be installed. The following services need to be restarted: No services need to be restarted.
admin@ecs-n1:~> /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status svc_patch Version 2.9.2 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online DONE Checking Installed Patches and Dependencies DONE Patches/releases currently installed: n/a (Base release) Patches that need to be installed: CVE-2022-31231_iam-fix (PatchID: 3525) Files that need to be installed: /opt/storageos/conf/iam.object.properties (from CVE-2022-31231_iam-fix) /opt/storageos/lib/storageos-iam.jar (from CVE-2022-31231_iam-fix) The following services need to be restarted: dataheadsvc
admin@ecs-n1 /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status svc_patch Version 2.9.2 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online DONE Checking Installed Patches and Dependencies FAILED Fatal: Currently installed version of storageos-iam.jar is unknown. This likely means that a custom Isolated Patch is installed. Please contact your next level of support for further steps, and include this information Detected md5sum: 6ec26421d426365ecb2a63d8e0f8ee4f
svc_patch Version 2.9.2 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online FAILED ERROR: Could not execute commands on the object-main container on 169.254.x.x Output was 'Failed to add the host to the list of known hosts (/home/admin/.ssh/known_hosts). :patchtest:' Patching is unable to continue with unreachable nodes. To proceed: - Resolve problems accessing node(s) from this one. - Manually pass a MACHINES file containing the list of working nodes to patch (not recommended). - Contact your next level of support for other options or assistance.
admin@node1:~> ls -l /home/admin/.ssh/known_hosts -rw------- 1 root root 1802 Jul 23 2019 /home/admin/.ssh/known_hosts admin@ecs:~>
admin@node1:~> sudo chown admin:users /home/admin/.ssh/known_hosts
admin@node1:~> /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch install
svc_patch Version 2.9.2 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online FAILED ERROR: Could not execute commands on the object-main container on 169.254.x.x Output was '@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:RcwOsFj7zPA5p5kSeYovF4UlZTm125nLVeCL1zCqOzc. Please contact your system administrator. Add correct host key in /home/admin/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /home/admin/.ssh/known_hosts:14 You can use following command to remove the offending key: ssh-keygen -R 169.254.x.x -f /home/admin/.ssh/known_hosts Password authentication is disabled to avoid man-in-the-middle attacks. Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks. :patchtest:' Patching is unable to continue with unreachable nodes. To proceed: - Resolve problems accessing node(s) from this one. - Manually pass a MACHINES file containing the list of working nodes to patch (not recommended). - Contact your next level of support for other options or assistance.
# /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status svc_patch Version 2.9.3 Verifying patch bundle consistency FAILED Patch bundle consistency check failed - md5sums for one or more files in the patch bundle were invalid, or files were not found. svc_patch will attempt to validate files in the patch using MD5SUMS.bundle, which is bundled with the patch. Output from md5sum was: ./lib/libs/svc_base.py: FAILED md5sum: WARNING: 1 computed checksum did NOT match
# sudo sed -i '/svc_base.py/d' /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/MD5SUMS.bundle # sudo sed -i '/MD5SUMS.bundle/d' /opt/emc/xdoctor/.xdr_chksum