ID de CVE: CVE-2022-31231
Gravidade: Média
Quem deve executar este procedimento?
A Dell solicita que este procedimento de upgrade do xDoctor e a instalação do patch sejam feitos pelos Clientes. Esse é o método mais rápido e seguro, pois evita a exposição prolongada a essa vulnerabilidade. Todas as etapas estão detalhadas neste artigo da KB. Há também um guia de vídeo que pode ser seguido para acompanhar este artigo da KB que está localizado no link abaixo.
Impacto do procedimento:
tempos de espera excedidos de E/S podem ocorrer enquanto os serviços dataheadsvc são reiniciados nó por nó. Os aplicativos devem acessar o cluster por meio de um balanceador de carga e devem ser capazes de lidar com o tempo de espera excedido de E/S. Aconselhamos deixar uma janela de manutenção ao executar este procedimento.
Buckets somente de CAS. Exceção:
se todos os buckets de um sistema forem exclusivamente CAS destacados abaixo, ele não será afetado por essa vulnerabilidade de segurança. Portanto, não é necessário aplicar o patch e esse KB não precisa ser seguido.
Comando: svc_bucket list
Exemplo:
admin@ecs-n1:~> svc_bucket list svc_bucket v1.0.33 (svc_tools v2.5.1) Started 2022-07-08 08:49:11 Bucket Temp Replication Owner Owner API FS Versioning Failed Bucket Name Namespace Group User VDC Type Enabled Enabled (TSO) cas_bucket region_ns RG1 casuser VDC1 CAS false Disabled False cas_bu region_ns RG1 cas_obj VDC1 CAS false Disabled False test region_ns RG1 test1 VDC1 CAS false Disabled False test_cas region_ns RG1 test_cas VDC1 CAS false Disabled False test_bkt_cas region_ns RG1 user_test VDC1 CAS false Disabled False Friday_cas region_ns RG1 Friday_cas VDC1 CAS false Disabled False
Tempo necessário para a atividade (aproximadamente):
um atraso de 60 segundos é definido por padrão por nó entre as reinicializações do serviço. O número de nós em um VDC (Virtual Data Center, data center virtual) multiplicado por 60 segundos + 30 minutos para preparação, estabilização do serviço e verificações posteriores necessárias.
Exemplos:
um sistema VDC de 48 nós pode levar aproximadamente 80 minutos:
60 segundos X 48 (número de nós do VDC) + 30 minutos (preparação) = 80 minutos aprox.
Um sistema VDC de 8 nós pode levar aproximadamente 40 minutos:
60 segundos X 8 (número de nós do VDC) + 30 minutos (preparação) = 40 minutos aprox.
Perguntas frequentes (FAQ):
P: O patch faz parte da versão do xDoctor?
R: O script de instalação de patch faz parte da versão 4.8-84 e posterior do xDoctor. As instruções para o download do xDoctor e a execução da instalação do patch estão nas etapas de resolução.
P: Posso atualizar vários VDCs em paralelo?
R: Não, aplique o patch em um VDC de cada vez.
P: Se eu fizer upgrade do ECS depois de executar este procedimento, posso executar novamente o procedimento após o upgrade?
R: Não, se estiver fazendo upgrade para uma versão de código especificada no DSA-2022-153 que tenha a correção permanente. Sim, se estiver fazendo upgrade para uma versão de código não especificada neste mesmo DSA.
P: O patch precisa ser reaplicado em um sistema em que foi instalado anteriormente após uma substituição de nó, recriação de imagem ou expansão?
R: Não, se o VDC estiver na versão de código especificada no DSA-2022-153 que tem a correção permanente. Sim, se estiver realizando qualquer uma dessas ações em relação a um VDC executando uma versão de código não especificada neste mesmo DSA. Quando o patch for necessário para esses cenários, o engenheiro da Dell em questão entrará em contato para informar que a atualização é necessária
P: E se eu estiver usando apenas usuários preexistentes e não estiver usando o IAM?
R: Os clientes precisam aplicar o patch, independentemente de usar apenas usuários preexistentes e não do IAM.
P: Com qual usuário você deve fazer login para executar todos os comandos deste artigo da KB?
R: admin
P: O svc_patch precisa ser executado em todos os racks ou com um arquivo MACHINES especializado em que vários racks estão em um VDC?
R: Não, ele detecta automaticamente se existirem vários racks e aplica patches em todos os nós em todos os racks nesse VDC.
P: Percebi que a versão de destino do xDoctor não é mais 4.8-84.0. Por quê?
R: As versões do xDoctor ocorrem com frequência, portanto, é sempre recomendável fazer upgrade para a versão mais recente lançada. No entanto, se você executou anteriormente a correção usando a versão 4.8-84.0, o sistema estará totalmente protegido contra a vulnerabilidade e não precisará ser executado novamente.
Resumo da resolução:
Faça upgrade do software ECS xDoctor para a versão mais recente disponível.
admin@node1:~> sudo xdoctor --version 4.8-84.0
admin@ecs-n1:~> sudo xdoctor --upgrade --local=/home/admin/xDoctor4ECS-4.8-84.0.noarch.rpm 2022-07-04 07:41:49,209: xDoctor_4.8-83.0 - INFO : xDoctor Upgrader Instance (1:SFTP_ONLY) 2022-07-04 07:41:49,210: xDoctor_4.8-83.0 - INFO : Local Upgrade (/home/admin/xDoctor4ECS-4.8-84.0.noarch.rpm) 2022-07-04 07:41:49,226: xDoctor_4.8-83.0 - INFO : Current Installed xDoctor version is 4.8-83.0 2022-07-04 07:41:49,242: xDoctor_4.8-83.0 - INFO : Requested package version is 4.8-84.0 2022-07-04 07:41:49,242: xDoctor_4.8-83.0 - INFO : Updating xDoctor RPM Package (RPM) 2022-07-04 07:41:49,293: xDoctor_4.8-83.0 - INFO : - Distribute package 2022-07-04 07:41:50,759: xDoctor_4.8-83.0 - INFO : - Install new rpm package 2022-07-04 07:42:04,401: xDoctor_4.8-83.0 - INFO : xDoctor successfully updated to version 4.8-84.0
admin@ecsnode1~> svc_exec -m "ip address show private.4 |grep -w inet" svc_exec v1.0.2 (svc_tools v2.1.0) Started 2021-12-20 14:03:33 Output from node: r1n1 retval: 0 inet 169.254.1.1/16 brd 169.254.255.255 scope global private.4 Output from node: r2n1 retval: 0 inet 169.254.2.1/16 brd 169.254.255.255 scope global private.4 Output from node: r3n1 retval: 0 inet 169.254.3.1/16 brd 169.254.255.255 scope global private.4 Output from node: r4n1 retval: 0 inet 169.254.4.1/16 brd 169.254.255.255 scope global private.4
admin@ecs-n1: scp xDoctor4ECS-4.8-84.0.noarch.rpm 169.254.2.1:/home/admin/ xDoctor4ECS-4.8-84.0.noarch.rpm 100% 32MB 31.9MB/s 00:00 admin@ecsnode1~> scp xDoctor4ECS-4.8-84.0.noarch.rpm 169.254.3.1:/home/admin/ xDoctor4ECS-4.8-84.0.noarch.rpm 100% 32MB 31.9MB/s 00:00 admin@ecsnode1~> scp xDoctor4ECS-4.8-784.0.noarch.rpm 169.254.4.1:/home/admin/ xDoctor4ECS-4.8-84.0.noarch.rpm 100% 32MB 31.9MB/s 00:00 admin@ecsnode1~>
admin@ecs-n1: svc_dt check -b svc_dt v1.0.27 (svc_tools v2.4.1) Started 2022-06-14 11:34:26 Date Total DT Unknown # Unready # RIS Fail # Dump Fail # Check type Time since check Check successful 2022-06-14 11:34:09 1920 0 0 0 0 AutoCheck 0m 17s True 2022-06-14 11:32:59 1920 0 0 0 0 AutoCheck 1m 27s True 2022-06-14 11:31:48 1920 0 0 0 0 AutoCheck 2m 38s True 2022-06-14 11:30:38 1920 0 0 0 0 AutoCheck 3m 48s True 2022-06-14 11:29:28 1920 0 0 0 0 AutoCheck 4m 58s True 2022-06-14 11:28:18 1920 0 0 0 0 AutoCheck 6m 8s True 2022-06-14 11:27:07 1920 0 0 0 0 AutoCheck 7m 19s True 2022-06-14 11:25:57 1920 0 0 0 0 AutoCheck 8m 29s True 2022-06-14 11:24:47 1920 0 0 0 0 AutoCheck 9m 39s True 2022-06-14 11:23:37 1920 0 0 0 0 AutoCheck 10m 49s True
admin@ecs-n1:~> /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status svc_patch Version 2.9.2 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online DONE Checking Installed Patches and Dependencies DONE Patches/releases currently installed: n/a (Base release) Patches that need to be installed: CVE-2022-31231_iam-fix (PatchID: 3525) Files that need to be installed: /opt/storageos/conf/iam.object.properties (from CVE-2022-31231_iam-fix) /opt/storageos/lib/storageos-iam.jar (from CVE-2022-31231_iam-fix) The following services need to be restarted: dataheadsvc
admin@ecs-n1:~> screen -S patchinstall admin@ecs-n1:~> unset TMOUT admin@ecs-n1:~> /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch install svc_patch Version 2.9.2 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online DONE Checking Installed Patches and Dependencies DONE Patches/releases currently installed: n/a (Base release) Patches that will be installed: CVE-2022-31231_iam-fix (PatchID: 3525) Files that will be installed: /opt/storageos/conf/iam.object.properties (from CVE-2022-31231_iam-fix) /opt/storageos/lib/storageos-iam.jar (from CVE-2022-31231_iam-fix) The following services will be restarted: dataheadsvc Patch Type: Standalone Number of nodes: 5 Number of seconds to wait between restarting node services: 60 Check DT status between node service restarts: false Do you wish to continue (y/n)?y Distributing files to node 169.254.1.1 Distributing patch installer to node '169.254.1.1' Distributing files to node 169.254.1.2 Distributing patch installer to node '169.254.1.2' Distributing files to node 169.254.1.3 Distributing patch installer to node '169.254.1.3' Distributing files to node 169.254.1.4 Distributing patch installer to node '169.254.1.4' Distributing files to node 169.254.1.5 Distributing patch installer to node '169.254.1.5' Restarting services on 169.254.1.1 Restarting dataheadsvc Waiting 60 seconds for services to stabilize...DONE Restarting services on 169.254.1.2 Restarting dataheadsvc Waiting 60 seconds for services to stabilize...DONE Restarting services on 169.254.1.3 Restarting dataheadsvc Waiting 60 seconds for services to stabilize...DONE Restarting services on 169.254.1.4 Restarting dataheadsvc Waiting 60 seconds for services to stabilize...DONE Restarting services on 169.254.1.5 Restarting dataheadsvc Waiting 60 seconds for services to stabilize...DONE Patching complete.
admin@node1:/> exit logout [screen is terminating] admin@node1:/>
admin@node 1:~> screen -ls There is a screen on: 113275.pts-0.ecs-n3 (Detached) 1 Socket in /var/run/uscreens/S-admin.
admin@node1:~> screen -r 113277.pts-0.ecs-n3
admin@ecs-n1:~> /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status svc_patch Version 2.9.2 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online DONE Checking Installed Patches and Dependencies DONE Patches/releases currently installed: CVE-2022-31231_iam-fix (PatchID: 3525) Fix for ECS iam vulnerability CVE-2022-31231 n/a (Base release) Patches that need to be installed: No files need to be installed. The following services need to be restarted: No services need to be restarted.
admin@ecs-n1:~> /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status svc_patch Version 2.9.2 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online DONE Checking Installed Patches and Dependencies DONE Patches/releases currently installed: n/a (Base release) Patches that need to be installed: CVE-2022-31231_iam-fix (PatchID: 3525) Files that need to be installed: /opt/storageos/conf/iam.object.properties (from CVE-2022-31231_iam-fix) /opt/storageos/lib/storageos-iam.jar (from CVE-2022-31231_iam-fix) The following services need to be restarted: dataheadsvc
admin@ecs-n1 /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status svc_patch Version 2.9.2 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online DONE Checking Installed Patches and Dependencies FAILED Fatal: Currently installed version of storageos-iam.jar is unknown. This likely means that a custom Isolated Patch is installed. Please contact your next level of support for further steps, and include this information Detected md5sum: 6ec26421d426365ecb2a63d8e0f8ee4f
svc_patch Version 2.9.2 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online FAILED ERROR: Could not execute commands on the object-main container on 169.254.x.x Output was 'Failed to add the host to the list of known hosts (/home/admin/.ssh/known_hosts). :patchtest:' Patching is unable to continue with unreachable nodes. To proceed: - Resolve problems accessing node(s) from this one. - Manually pass a MACHINES file containing the list of working nodes to patch (not recommended). - Contact your next level of support for other options or assistance.
admin@node1:~> ls -l /home/admin/.ssh/known_hosts -rw------- 1 root root 1802 Jul 23 2019 /home/admin/.ssh/known_hosts admin@ecs:~>
admin@node1:~> sudo chown admin:users /home/admin/.ssh/known_hosts
admin@node1:~> /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch install
svc_patch Version 2.9.2 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online FAILED ERROR: Could not execute commands on the object-main container on 169.254.x.x Output was '@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:RcwOsFj7zPA5p5kSeYovF4UlZTm125nLVeCL1zCqOzc. Please contact your system administrator. Add correct host key in /home/admin/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /home/admin/.ssh/known_hosts:14 You can use following command to remove the offending key: ssh-keygen -R 169.254.x.x -f /home/admin/.ssh/known_hosts Password authentication is disabled to avoid man-in-the-middle attacks. Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks. :patchtest:' Patching is unable to continue with unreachable nodes. To proceed: - Resolve problems accessing node(s) from this one. - Manually pass a MACHINES file containing the list of working nodes to patch (not recommended). - Contact your next level of support for other options or assistance.
# /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status svc_patch Version 2.9.3 Verifying patch bundle consistency FAILED Patch bundle consistency check failed - md5sums for one or more files in the patch bundle were invalid, or files were not found. svc_patch will attempt to validate files in the patch using MD5SUMS.bundle, which is bundled with the patch. Output from md5sum was: ./lib/libs/svc_base.py: FAILED md5sum: WARNING: 1 computed checksum did NOT match
# sudo sed -i '/svc_base.py/d' /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/MD5SUMS.bundle # sudo sed -i '/MD5SUMS.bundle/d' /opt/emc/xdoctor/.xdr_chksum