Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products

ECS:解決 3.5.x/3.6.x 上的 CVE-2022-31231 安全性漏洞的解決方案

Summary: 解決身分識別和存取管理 (IAM) 模組中的存取控制不當。遠端未驗證的攻擊者可能會利用此漏洞,導致取得未經授權資料的讀取存取權。這會影響所有 ECS 3.5.x.x 和 ECS 3.6.x.x 版本。

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.

Symptoms

CVE ID:CVE-2022-31231
嚴重程度:中

Cause

身分識別和存取管理 (IAM) 模組中的存取控制不當。

Resolution

應由誰執行此程序?
Dell 要求升級 xDoctor 和安裝修補程式的這個程序由客戶執行。這是最快速、最安全的方法,因為它可避免長時間暴露於此漏洞中。所有步驟詳述在本 KB 中。另外還有一份可遵循的影片指南隨附於此 KB 中,連結位於下方。



程序影響:
當 dataheadsvc 服務按節點逐一重新開機時,預期可能出現 I/O 逾時。應用程式應通過負載均衡器訪問群集,並且必須能夠處理 I/O 超時。執行此程序時建議提供一個維護時段。

僅限 CAS 的容器例外情況:
如果彈性雲伺服器 上的所有 存儲桶都是下面突出顯示的獨佔CAS,則不受此安全漏洞的影響。因此不需要套用修補程式,且不需要遵循此 KB。

命令:

# svc_bucket list

範例:

admin@ecs-n1:~> svc_bucket list
svc_bucket v1.0.33 (svc_tools v2.5.1)                 Started 2022-07-08 08:49:11

                                                                                                                                       Bucket     Temp
                                                                 Replication         Owner            Owner           API     FS       Versioning Failed
Bucket Name                            Namespace                 Group               User             VDC             Type    Enabled  Enabled    (TSO)

cas_bucket                             region_ns                 RG1                 casuser          VDC1            CAS     false    Disabled   False
cas_bu                                 region_ns                 RG1                 cas_obj          VDC1            CAS     false    Disabled   False
test                                   region_ns                 RG1                 test1            VDC1            CAS     false    Disabled   False
test_cas                               region_ns                 RG1                 test_cas         VDC1            CAS     false    Disabled   False
test_bkt_cas                           region_ns                 RG1                 user_test        VDC1            CAS     false    Disabled   False
Friday_cas                             region_ns                 RG1                 Friday_cas       VDC1            CAS     false    Disabled   False


活動所需時間 (大約):
在服務重新開機之間,每個節點預設會設定 60 秒的延遲時間。虛擬數據中心 (VDC) 中的節點數乘以 60 秒 + 30 分鐘進行準備、服務穩定和需要進行後續檢查。

範例:
48 節點 VDC ECS 可能需要大約 80 分鐘:
60 秒 X 48 (VDC 節點數) + 30 分鐘 (準備) = 約

80 分鐘8 節點 VDC ECS 大約需要 40 分鐘:
60 秒 X 8 (VDC 節點數) + 30 分鐘 (準備) = 約


40 分鐘常見問題 (FAQ):
問:此修補程式是 xDoctor 版本的一部分嗎?
答:修補程式安裝指令檔是 xDoctor 版本 4.8-84 及更高版本的一部分。下載 xDoctor 和執行修補程式安裝的指示包含在解決步驟中。

:我可以同時更新多個 VDC 嗎?
答:否,一次修補 1 個 VDC。

問:如果我在執行此程序後升級 ECS,要在升級後重新執行此程序嗎?
答:否,如果升級到 DSA-2022-153 中指定的程式碼版本,當中有永久修正程式。是,如果升級至此相同 DSA 中未指定的程式碼版本。

問:在更換、重建映像或擴充節點後,是否必須將修補程式重新套用至先前安裝過修補程式的 ECS?
一個:否,如果 VDC 是在有永久修正的 DSA-2022-153 中指定的程式碼版本。是,如果針對執行此相同 DSA 中未指定的程式碼版本的 VDC 執行上述任何動作。如果這些情況需要修補程式,將會聯絡 Dell 工程師,告知需要更新。

問:如果我只使用舊使用者而不使用 IAM,該怎麼辦?
一個:無論是否僅使用舊使用者而不是IAM,客戶都必須應用修補程式。

問:我們應該以哪個使用者身份登入才能執行此 KB 中的所有命令?
答:管理員

Q:是否必須在所有機架上執行 svc_patch 或使用其中的 VDC 中有多個機架的專用機器檔案執行?
答:否,它會自動偵測是否存在多個機架,並更新該 VDC 上所有機架上的所有節點。

問:我注意到目標 xDoctor 版本不再是 4.8-84.0。為什麼?
答:xDoctor 版本經常推出,因此建議您一律升級至最高的發行版本。但是,如果我們先前使用 4.8-84.0 執行修正,則 ECS 會受到完整保護,不受漏洞影響,且不需要重新執行。

解決方法摘要:

  1. 將您的 ECS xDoctor 軟體升級至 4.8-84.0 版或更新版本。
  2. 執行前置檢查。
  3. 使用 xDoctor 隨附的svc_patch工具套用修補程式。
  4. 確認已套用修正程式。
  5. 故障診斷。

解決方案步驟:

  1. 將您的 ECS xDoctor 軟體升級至最新可用版本。

  1. 檢查 ECS 上執行的 xDoctor 版本。如果版本為 4.8-84.0 或更新版本,請移至步驟 2「執行前置檢查」。否則,請繼續執行下列步驟。
命令: 
# sudo xdoctor --version
範例:
admin@node1:~> sudo xdoctor --version
4.8-84.0
  1. 登入 Dell 支援網站,直接連線至此下載連結,使用關鍵字搜尋列搜尋 xDoctor,然後按一下 xDoctor 4.8-84.0 RPM 連結以下載。若要檢視版本資訊,請依照版本資訊、選取手冊和側邊欄中的文件下載。
  2. 下載 RPM 後,請使用任何遠端 SCP 程式將檔案上傳至第一個 ECS 節點上的 /home/admin 目錄。
  3. 上傳完成後,請使用管理員將 SSH 連接至 ECS 的第一個節點。
  4. 使用新發佈的版本升級所有節點上的 xDoctor。 
命令:
# sudo xdoctor --upgrade --local=/home/admin/xDoctor4ECS-4.8-84.0.noarch.rpm
範例:
admin@ecs-n1:~> sudo xdoctor --upgrade --local=/home/admin/xDoctor4ECS-4.8-84.0.noarch.rpm
2022-07-04 07:41:49,209: xDoctor_4.8-83.0 - INFO    : xDoctor Upgrader Instance (1:SFTP_ONLY)
2022-07-04 07:41:49,210: xDoctor_4.8-83.0 - INFO    : Local Upgrade (/home/admin/xDoctor4ECS-4.8-84.0.noarch.rpm)
2022-07-04 07:41:49,226: xDoctor_4.8-83.0 - INFO    : Current Installed xDoctor version is 4.8-83.0
2022-07-04 07:41:49,242: xDoctor_4.8-83.0 - INFO    : Requested package version is 4.8-84.0
2022-07-04 07:41:49,242: xDoctor_4.8-83.0 - INFO    : Updating xDoctor RPM Package (RPM)
2022-07-04 07:41:49,293: xDoctor_4.8-83.0 - INFO    :  - Distribute package
2022-07-04 07:41:50,759: xDoctor_4.8-83.0 - INFO    :  - Install new rpm package
2022-07-04 07:42:04,401: xDoctor_4.8-83.0 - INFO    : xDoctor successfully updated to version 4.8-84.0
  1. 如果環境是多機架 VDC,則必須在每個機架的第一個節點上安裝新的 xDoctor 套件。若要識別這些機架主體,請執行下列命令。在此例項中,有四個機架,因此會醒目提示四個機架主體
  1. 尋找機架主要節點
命令:
# svc_exec -m "ip address show private.4 |grep -w inet"
範例:
admin@ecsnode1~> svc_exec -m "ip address show private.4 |grep -w inet"
svc_exec v1.0.2 (svc_tools v2.1.0)                 Started 2021-12-20 14:03:33
 
Output from node: r1n1                                retval: 0
    inet 169.254.1.1/16 brd 169.254.255.255 scope global private.4
 
Output from node: r2n1                                retval: 0
    inet 169.254.2.1/16 brd 169.254.255.255 scope global private.4
 
Output from node: r3n1                                retval: 0
    inet 169.254.3.1/16 brd 169.254.255.255 scope global private.4
 
Output from node: r4n1                                retval: 0
    inet 169.254.4.1/16 brd 169.254.255.255 scope global private.4
  1. 將套件從 ECS (R1N1) 的第一個節點複製到下列其他機架主體:
範例:
admin@ecs-n1:  scp xDoctor4ECS-4.8-84.0.noarch.rpm 169.254.2.1:/home/admin/
xDoctor4ECS-4.8-84.0.noarch.rpm                                                                                                                        100%   32MB  31.9MB/s   00:00
admin@ecsnode1~> scp xDoctor4ECS-4.8-84.0.noarch.rpm 169.254.3.1:/home/admin/
xDoctor4ECS-4.8-84.0.noarch.rpm                                                                                                                        100%   32MB  31.9MB/s   00:00
admin@ecsnode1~> scp xDoctor4ECS-4.8-784.0.noarch.rpm 169.254.4.1:/home/admin/
xDoctor4ECS-4.8-84.0.noarch.rpm                                                                                                                        100%   32MB  31.9MB/s   00:00
admin@ecsnode1~>
  1. 根據上述步驟 1,在先前識別的上述每個機架主體上執行相同的 xDoctor 安裝命令。 
命令:
# sudo xdoctor --upgrade --local=/home/admin/xDoctor4ECS-4.8-84.0.noarch.rpm
 
  1. 執行前置檢查
  1. 使用 svc_dt 命令檢查 DT 是否穩定。如果「Unready #」欄顯示 0,則 DT 會保持穩定。如果是,請前往下一個步驟。如果否,請等待 15 分鐘,然後再次檢查。如果 DT 尚未穩定下來,請向 ECS 支援小組開立服務要求。
命令:
# svc_dt check -b
範例:
admin@ecs-n1: svc_dt check -b

svc_dt v1.0.27 (svc_tools v2.4.1)                 Started 2022-06-14 11:34:26

Date                     Total DT       Unknown #      Unready #      RIS Fail #     Dump Fail #    Check type     Time since check   Check successful

2022-06-14 11:34:09      1920           0              0              0              0              AutoCheck      0m 17s             True
2022-06-14 11:32:59      1920           0              0              0              0              AutoCheck      1m 27s             True
2022-06-14 11:31:48      1920           0              0              0              0              AutoCheck      2m 38s             True
2022-06-14 11:30:38      1920           0              0              0              0              AutoCheck      3m 48s             True
2022-06-14 11:29:28      1920           0              0              0              0              AutoCheck      4m 58s             True
2022-06-14 11:28:18      1920           0              0              0              0              AutoCheck      6m 8s              True
2022-06-14 11:27:07      1920           0              0              0              0              AutoCheck      7m 19s             True
2022-06-14 11:25:57      1920           0              0              0              0              AutoCheck      8m 29s             True
2022-06-14 11:24:47      1920           0              0              0              0              AutoCheck      9m 39s             True
2022-06-14 11:23:37      1920           0              0              0              0              AutoCheck      10m 49s            True
  1. 使用 svc_patch 命令驗證所有節點是否處於連線狀態。如果是,請前往下一個步驟。如果否,請調查原因,使它重新連線,然後再次執行檢查。如果無法將節點連線,請向 ECS 支援小組開立服務要求以進行調查。
命令:
# /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status
範例:
admin@ecs-n1:~> /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status
svc_patch Version 2.9.2

Verifying patch bundle consistency                    DONE
Detecting nodes in current VDC                        DONE
Reading in patch details (1 of 2)                     DONE
Reading in patch details (2 of 2)                     DONE
Validating nodes are online                           DONE
Checking Installed Patches and Dependencies           DONE

Patches/releases currently installed:
        n/a                                      (Base release)

Patches that need to be installed:
        CVE-2022-31231_iam-fix                                  (PatchID: 3525)

Files that need to be installed:
        /opt/storageos/conf/iam.object.properties               (from CVE-2022-31231_iam-fix)
        /opt/storageos/lib/storageos-iam.jar                    (from CVE-2022-31231_iam-fix)

The following services need to be restarted:
        dataheadsvc
 
  1. 使用 xDoctor 隨附的svc_patch工具套用修補程式。
  1. 執行 svc_patch 命令,輸入「y」,然後在系統提示您安裝修補程式時按下「Enter」鍵。此命令可在任何 ECS 節點上執行。 
命令:
# screen -S patchinstall
# unset TMOUT
# /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch install
範例:
注意:以下輸出中有一個要繼續進行的提示。
admin@ecs-n1:~> screen -S patchinstall
admin@ecs-n1:~> unset TMOUT
admin@ecs-n1:~> /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch install
svc_patch Version 2.9.2

Verifying patch bundle consistency                    DONE
Detecting nodes in current VDC                        DONE
Reading in patch details (1 of 2)                     DONE
Reading in patch details (2 of 2)                     DONE
Validating nodes are online                           DONE
Checking Installed Patches and Dependencies           DONE

Patches/releases currently installed:
        n/a                                      (Base release)

Patches that will be installed:
        CVE-2022-31231_iam-fix                                  (PatchID: 3525)

Files that will be installed:
        /opt/storageos/conf/iam.object.properties               (from CVE-2022-31231_iam-fix)
        /opt/storageos/lib/storageos-iam.jar                    (from CVE-2022-31231_iam-fix)

The following services will be restarted:
        dataheadsvc

Patch Type:                                                     Standalone
Number of nodes:                                                5
Number of seconds to wait between restarting node services:     60
Check DT status between node service restarts:                  false

Do you wish to continue (y/n)?y


Distributing files to node 169.254.1.1
        Distributing patch installer to node '169.254.1.1'
Distributing files to node 169.254.1.2
        Distributing patch installer to node '169.254.1.2'
Distributing files to node 169.254.1.3
        Distributing patch installer to node '169.254.1.3'
Distributing files to node 169.254.1.4
        Distributing patch installer to node '169.254.1.4'
Distributing files to node 169.254.1.5
        Distributing patch installer to node '169.254.1.5'


Restarting services on 169.254.1.1
        Restarting dataheadsvc
        Waiting 60 seconds for services to stabilize...DONE
Restarting services on 169.254.1.2
        Restarting dataheadsvc
        Waiting 60 seconds for services to stabilize...DONE
Restarting services on 169.254.1.3
        Restarting dataheadsvc
        Waiting 60 seconds for services to stabilize...DONE
Restarting services on 169.254.1.4
        Restarting dataheadsvc
        Waiting 60 seconds for services to stabilize...DONE
Restarting services on 169.254.1.5
        Restarting dataheadsvc
        Waiting 60 seconds for services to stabilize...DONE

Patching complete. 
  1. 依上述輸出完成更新時,結束螢幕工作階段。
範例:
admin@node1:/> exit
logout

[screen is terminating]
admin@node1:/>
注意:如果我們不小心關閉了 PuTTY 工作階段,請再次登入同一個節點並執行以下命令以重新連接。
 
命令:
admin@node 1:~> screen -ls
There is a screen on:
        113275.pts-0.ecs-n3     (Detached)
1 Socket in /var/run/uscreens/S-admin.
重新連接至自先前輸出中分離的工作階段。
admin@node1:~> screen -r 113277.pts-0.ecs-n3
 
  1. 確認已套用修正程式。
  1. 以下輸出來自已套用修正的 ECS。
命令:
# /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status
範例:
admin@ecs-n1:~> /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status
svc_patch Version 2.9.2

Verifying patch bundle consistency                    DONE
Detecting nodes in current VDC                        DONE
Reading in patch details (1 of 2)                     DONE
Reading in patch details (2 of 2)                     DONE
Validating nodes are online                           DONE
Checking Installed Patches and Dependencies           DONE

Patches/releases currently installed:
        CVE-2022-31231_iam-fix                   (PatchID: 3525)        Fix for ECS iam vulnerability CVE-2022-31231
        n/a                                      (Base release)

Patches that need to be installed:

        No files need to be installed.


The following services need to be restarted:
        No services need to be restarted.
  1. 以下輸出來自尚未套用修正的 ECS。
範例: 
admin@ecs-n1:~> /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status
svc_patch Version 2.9.2

Verifying patch bundle consistency                    DONE
Detecting nodes in current VDC                        DONE
Reading in patch details (1 of 2)                     DONE
Reading in patch details (2 of 2)                     DONE
Validating nodes are online                           DONE
Checking Installed Patches and Dependencies           DONE

Patches/releases currently installed:
        n/a                                      (Base release)

Patches that need to be installed:
        CVE-2022-31231_iam-fix                                  (PatchID: 3525)

Files that need to be installed:
        /opt/storageos/conf/iam.object.properties               (from CVE-2022-31231_iam-fix)
        /opt/storageos/lib/storageos-iam.jar                    (from CVE-2022-31231_iam-fix)

The following services need to be restarted:
        dataheadsvc


故障診斷

  1. 進行預先檢查時,修補程式報告以下錯誤。在此情況下,請聯絡遠端支援,其將為客戶提供特定環境的隔離修補程式
範例: 
admin@ecs-n1 /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status
svc_patch Version 2.9.2

Verifying patch bundle consistency                    DONE
Detecting nodes in current VDC                        DONE
Reading in patch details (1 of 2)                     DONE
Reading in patch details (2 of 2)                     DONE
Validating nodes are online                           DONE
Checking Installed Patches and Dependencies           FAILED
Fatal:  Currently installed version of storageos-iam.jar is unknown.
        This likely means that a custom Isolated Patch is installed.
        Please contact your next level of support for further steps, and
        include this information
        Detected md5sum:  6ec26421d426365ecb2a63d8e0f8ee4f
  1. 套用修補程式時無法將主機新增至已知主機的清單。
範例: 
svc_patch Version 2.9.2

Verifying patch bundle consistency                    DONE
Detecting nodes in current VDC                        DONE
Reading in patch details (1 of 2)                     DONE
Reading in patch details (2 of 2)                     DONE
Validating nodes are online                           FAILED

ERROR: Could not execute commands on the object-main container on 169.254.x.x
  Output was 'Failed to add the host to the list of known hosts (/home/admin/.ssh/known_hosts).
:patchtest:'

Patching is unable to continue with unreachable nodes.  To proceed:
 - Resolve problems accessing node(s) from this one.
 - Manually pass a MACHINES file containing the list of working nodes to patch (not recommended).
 - Contact your next level of support for other options or assistance.
解決方案:
原因可能是檔案 /home/admin/.ssh/known_hosts 的使用者是 root,預設為系統管理員。 
 
範例: 
admin@node1:~> ls -l  /home/admin/.ssh/known_hosts
-rw------- 1 root root 1802 Jul 23  2019 /home/admin/.ssh/known_hosts
admin@ecs:~>
 
若要解決此問題,請透過 PuTTY 登入報告的節點,然後在每個節點上使用以下命令,將使用者從根切換為管理員:

命令:
#  sudo chown admin:users /home/admin/.ssh/known_hosts
範例:
admin@node1:~> sudo chown admin:users /home/admin/.ssh/known_hosts
 現在再重新執行 svc_patch 命令,它應該會通過
admin@node1:~> /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch install
 
  1. 由於 /home/admin/.ssh/known_hosts 中的主機金鑰不正確,因此無法在 169.254.x.x 的物件主容器上執行命令。
範例:
svc_patch Version 2.9.2

Verifying patch bundle consistency                    DONE
Detecting nodes in current VDC                        DONE
Reading in patch details (1 of 2)                     DONE
Reading in patch details (2 of 2)                     DONE
Validating nodes are online                           FAILED

ERROR: Could not execute commands on the object-main container on 169.254.x.x
  Output was '@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:RcwOsFj7zPA5p5kSeYovF4UlZTm125nLVeCL1zCqOzc.
Please contact your system administrator.
Add correct host key in /home/admin/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/admin/.ssh/known_hosts:14
You can use following command to remove the offending key:
ssh-keygen -R 169.254.x.x -f /home/admin/.ssh/known_hosts
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
:patchtest:'

Patching is unable to continue with unreachable nodes.  To proceed:
 - Resolve problems accessing node(s) from this one.
 - Manually pass a MACHINES file containing the list of working nodes to patch (not recommended).
 - Contact your next level of support for other options or assistance.
 
解決方案:
請聯絡 ECS 支援以取得解決方案。

 

  1. 在預先檢查中使用 xDoctor 4.8-85.0 版或套用此修補程式時,我們可能會收到警示,指出 md5sum 與 svc_base.py 不相符:
# /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/svc_patch status 
svc_patch Version 2.9.3

Verifying patch bundle consistency                    FAILED

Patch bundle consistency check failed - md5sums for one or more files
in the patch bundle were invalid, or files were not found.

svc_patch will attempt to validate files in the patch using MD5SUMS.bundle, which
is bundled with the patch.

Output from md5sum was:
./lib/libs/svc_base.py: FAILED
md5sum: WARNING: 1 computed checksum did NOT match
 
  
解決方案:
在套用修補程式更新 md5sum 之前,請執行以下命令:
# sudo sed -i '/svc_base.py/d' /opt/emc/xdoctor/patches/CVE-2022-31231_iam-fix/MD5SUMS.bundle
# sudo sed -i '/MD5SUMS.bundle/d' /opt/emc/xdoctor/.xdr_chksum
Article Properties
Article Number: 000200962
Article Type: Solution
Last Modified: 21 Oct 2024
Version:  25
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.