CVE-2015-0235 lab record, cve-2015-0235 lab
All-in-One and linux Server vulnerability analysis and repair! LINUX: 5.X 64 cell storage: 11.2.3.1.1
# Patch packages required for vulnerabilities:
Glibc-2.5-123.0.1.el5_11.1.i686.rpm
Glibc-2.5-123.0.1.el5_11.1.x86_64.rpm
Glibc-common-2.5-123.0.1.el5_11.1.x86_64.rpm
Glibc-devel-2.5-123.0.1.el5_11.1.i386.rpm
Glibc-devel-2.5-123.0.1.el5_11.1.x86_64.rpm
Glibc-headers-2.5-123.0.1.el5_11.1.x86_64.rpm
Glibc-utils-2.5-123.0.1.el5_11.1.x86_64.rpm
Nscd-2.5-123.0.1.el5_11.1.x86_64.rpm
# Vulnerability patch:
Http://public-yum.oracle.com/repo/OracleLinux/OL5/latest/x86_64.
# Vulnerability repair preparation:
[Root @ localhost ~] # Mkdir20150227
[Root @ localhost ~] # Cd 20150227/
/Root/20150227
[Root @ localhost 20150227] # rpm-qa -- queryformat = "% {name}-% {version}-% {release }. % {arch} \ n "| egrep 'glibc | nscd'> bak1
# Detect operating system vulnerabilities:
[Root @ localhost20150227] # uname-r
2.6.18-274. el5
[Root @ localhost20150227] # sh check. sh
Vulnerable glibc version <= 2.17-54
Vulnerable glibc version <= 2.5-122
Vulnerable glibc version <= 2.12-1.148
Detected glibc version 2.5 revision 65
This system is vulnerable to CVE-2015-0235. Update the glibc and ncsd packages on your system using the packages released with the following:
Yum install glibc
[Root @ localhost20150227] #
# Upload Patches
[Root @ localhost20150227] # mkdir/tmp/glibc-update
[Root @ localhost20150227] # cd/tmp/glibc-update
[Root @ localhost glibc-update] # ll
-Rw-r -- 1 root 5647080 Feb 27 2015 glibc-2.5-123.0.1.el5_11.1.i686.rpm
-Rw-r -- 1 root 5007817 Feb 27 2015 glibc-2.5-123.0.1.el5_11.1.x86_64.rpm
-Rw-r -- 1 root 17291271 Feb 27 2015 glibc-common-2.5-123.0.1.el5_11.1.x86_64.rpm
-Rw-r -- 1 root 2164300 Feb 27 2015 glibc-devel-2.5-123.0.1.el5_11.1.i386.rpm
-Rw-r -- 1 root 2547507 Feb 27 2015 glibc-devel-2.5-123.0.1.el5_11.1.x86_64.rpm
-Rw-r -- 1 root 616895 Feb 27 2015 glibc-headers-2.5-123.0.1.el5_11.1.x86_64.rpm
-Rw-r -- 1 root 143204 Feb 27 2015 glibc-utils-2.5-123.0.1.el5_11.1.x86_64.rpm
-Rw-r -- 1 root 182696 Feb 27 2015 nscd-2.5-123.0.1.el5_11.1.x86_64.rpm
# Disable related services Steps to power down or reboot a cell without affecting ASM: Note 1188080.1
1) By default, ASM drops a disk shortly after it is taken offline; however, you can set the DISK_REPAIR_TIME attribute to prevent this operation by specifying a time
Interval to repair the disk and bring it back online. The default DISK_REPAIR_TIME attribute value of 3.6 h shocould be adequate for most environments
(A) To check repair times for all mounted disk groups-log into the ASM instance and perform the following query:
SQL> select dg. name, a. value from v $ asm_diskgroupdg, v $ asm_attribute a where dg. group_number = a. group_number and a. name = 'disk _ repair_time ';
(B) If you need to offline the ASM disks for more than the default time of 3.6 hours then adjust the parameter by issuing the command below as an example:
SQL> ALTER DISKGROUP DATA SET ATTRIBUTE 'disk _ REPAIR_TIME '= '8. 5 ';
2) Next you will need to check if ASM will be OK if the grid disks go OFFLINE. The following command shoshould return 'yes' for the grid disks being listed:
Cellcli-e list griddisk attributes name, asmmodestatus, asmdeactivationoutcome
Cellcli-e alter griddisk all inactive
Cellcli-e list griddisk attributes name where asmdeactivationoutcome! = 'Yes'
[Root @ localhost glibc-update] # rpm-fvl/tmp/glibc-update/* rpm
Warning:/tmp/glibc-update/glibc-2.5-123.0.1.el5_11.1.i686.rpm: Header V3 DSA signature: NOKEY, key ID 1e5e0159
Preparing... ######################################## ### [100%]
1: glibc-common ##################################### ###### [14%]
2: glibc ####################################### #### [29%]
3: nscd ####################################### #### [43%]
4: glibc-headers ##################################### ###### [57%]
5: glibc-devel ##################################### ###### [71%]
6: glibc ####################################### #### [86%]
7: glibc-devel ##################################### ###### [100%]
# Check. sh:
[Root @ localhost20150227] # sh check. sh
Vulnerable glibc version <= 2.17-54
Vulnerable glibc version <= 2.5-122
Vulnerable glibc version <= 2.12-1.148
Detected glibc version 2.5 revision 123
Not Vulnerable.
[Root @ localhost20150227] # cellcli
CellCLI: Release 11.2.3.2.0-Production on Fri Feb 27 09:31:29 CST 2015
Copyright (c) 2007,201 2, Oracle. All rights reserved.
Cell Efficiency Ratio: 1,000
CellCLI> alter cell shutdown services all
Stopping the RS, CELLSRV, and MS services...
The SHUTDOWN of services was successful.
[Root @ localhost20150227] # shutdown-r-y now
Broadcast message from root (pts/2) (Fri Feb 27 09:33:06 2015 ):
The system is going down for reboot NOW!
[Root @ localhost20150227] #
Note: The operating system must be restarted immediately after patches are installed. Otherwise, application services may become unavailable.
[Root @ localhost20150227] # cellcli
CellCLI: Release 11.2.3.2.0-Production on Fri Feb 27 09:38:06 CST 2015
Copyright (c) 2007,201 2, Oracle. All rights reserved.
Cell Efficiency Ratio: 1,000
CellCLI> alter cell startup services all
Starting the RS, CELLSRV, and MS services...
Getting the state of RS services... running
Starting CELLSRV services...
The STARTUP of CELLSRV services was successful.
Starting MS services...
The startups of MS services was successful.
CellCLI> list cell
Localhost online
CellCLI> list cell detail
Name: localhost
BbuTempThreshold: 60
BbuChargeThreshold: 800
BmcType: absent
CellVersion: OSS_11.2.3.2.0_LINUX.X64_120713
CpuCount: 0
DiagHistoryDays: 7
FanCount: 1/1
FanStatus: normal
FlashCacheMode: WriteThrough
Id: 029e8a73-bcc2-4759-bed1-c596778dbca8
InterconnectCount: 0
IormBoost: 0.0
Ipaddress1: 192.168.175.138/24
KernelVersion: 2.6.18-274. el5
MakeModel: Fake hardware
MetricHistoryDays: 7
OffloadEfficiency: 1,000.0
PowerCount: 1/1
PowerStatus: normal
ReleaseVersion: 11.2.3.2.0
ReleaseTrackingBug: 14212264
Status: online
TemperatureReading: 0.0
TemperatureStatus: normal
UpTime: 0 days, 0: 00
CellsrvStatus: running
MsStatus: running
RsStatus: running
CellCLI> list griddisk
Date_CD_disk01_localhost inactive
Date_CD_disk02_localhost inactive
Date_CD_disk03_localhost inactive
Date_CD_disk04_localhost inactive
Date_CD_disk05_localhost inactive
Date_CD_disk06_localhost inactive
CellCLI> alter griddisk all active
GridDisk date_CD_disk01_localhost successfully altered
GridDisk date_CD_disk02_localhost successfully altered
GridDisk date_CD_disk03_localhost successfully altered
GridDisk date_CD_disk04_localhost successfully altered
GridDisk date_CD_disk05_localhost successfully altered
GridDisk date_CD_disk06_localhost successfully altered
CellCLI> list griddisk
Date_CD_disk01_localhost active
Date_CD_disk02_localhost active
Date_CD_disk03_localhost active
Date_CD_disk04_localhost active
Date_CD_disk05_localhost active
Date_CD_disk06_localhost active
CellCLI>
######################################## ######################################## ######################################## #############
If a rollback is required, it shoshould be done with Oracle Support guidance via an SR.
The information gathered in step 1 above should be provided to the SR.
If patching fails for All-in-One devices, you need to ask for the sr:
Note:
We recommend that you use make_cellboot_usb to create an emergency image. Cd/opt/oracle. SupportTools./make_cellboot_usb
If the CELL installation fails, you can use the backup of the USB flash drive to recover it: however, this experiment cannot be simulated and requires the support of other technical personnel. All-in-One (x2-2) upgrade requires time to conservatively estimate 6 ~ 12 hours.
For other linux database servers, install system patches and restart the system. It takes about one hour to patch the common database server.
[Root @ localhost 20150227] # more check. sh
#! /Bin/bash
Vercomp (){
If [[$1 = $2]
Then
Return 0
Fi
Local IFS =.
Local I ver1 = ($1) ver2 = ($2)
# Fill empty fields in ver1 with zeros
For (I =$ {# ver1 [@]}; I <$ {# ver2 [@]}; I ++ ))
Do
Ver1 [I] = 0
Done
For (I = 0; I <$ {# ver1 [@]}; I ++ ))
Do
If [[-z ${ver2 [I]}]
Then
# Fill empty fields in ver2 with zeros
Ver2 [I] = 0
Fi
If (10 # ${ver1 [I]}> 10 # ${ver2 [I]})
Then
Return 1
Fi
If (10 # ${ver1 [I]} <10 # ${ver2 [I]})
Then
Return 2
Fi
Done
Return 0
}
Glibc_vulnerable_version = 2.17
Glibc_vulnerable_revision = 54
Glibc_vulnerable_version2 = 2.5
Glibc_vulnerable_revision2 = 122
Glibc_vulnerable_version3 = 2.12
Glibc_vulnerable_revision3 = 148
Echo "Vulnerable glibc version <=" $ glibc_vulnerable_version "-" $ glibc_vulnerable_revision
Echo "Vulnerable glibc version <=" $ glibc_vulnerable_version2 "-" $ glibc_vulnerable_revision2
Echo "Vulnerable glibc version <=" $ glibc_vulnerable_version3 "-1." $ glibc_vulnerable_revision3
Glibc_version = $ (rpm-q glibc | awk-F "[-.]" '{print $2 "." $3}' | sort-u)
If [[$ glibc_version = $ glibc_vulnerable_version3]
Then
Glibc_revision = $ (rpm-q glibc | awk-F "[-.]" '{print $5}' | sort-u)
Else
Glibc_revision = $ (rpm-q glibc | awk-F "[-.]" '{print $4}' | sort-u)
Fi
Echo "Detected glibc version" $ glibc_version "revision" $ glibc_revision
Vulnerable_text = $ "This system is vulnerable to CVE-2015-0235. Update the glibc and ncsd packages on your system using the packages released with the following:
Yum install glibc"
If [[$ glibc_version = $ glibc_vulnerable_version]
Then
Vercomp $ glibc_vulnerable_revision $ glibc_revision
Elif [[$ glibc_version = $ glibc_vulnerable_version2]
Then
Vercomp $ glibc_vulnerable_revision2 $ glibc_revision
Elif [[$ glibc_version = $ glibc_vulnerable_version3]
Then
Vercomp $ glibc_vulnerable_revision3 $ glibc_revision
Else
Vercomp $ glibc_vulnerable_version $ glibc_version
Fi
Case $? In
0) echo "$ vulnerable_text ";;
1) echo "$ vulnerable_text ";;
2) echo "Not Vulnerable .";;
Esac
######################################## ######################################## ######################################## ##