CVE-2015-0235 實驗記錄,cve-2015-0235實驗
一體機&linux 伺服器漏洞分析修補!LINUX: 5.X 64 cell storage: 11.2.3.1.1
#漏洞需要的補丁包:
glibc-2.5-123.0.1.el5_11.1.i686.rpm
glibc-2.5-123.0.1.el5_11.1.x86_64.rpm
glibc-common-2.5-123.0.1.el5_11.1.x86_64.rpm
glibc-devel-2.5-123.0.1.el5_11.1.i386.rpm
glibc-devel-2.5-123.0.1.el5_11.1.x86_64.rpm
glibc-headers-2.5-123.0.1.el5_11.1.x86_64.rpm
glibc-utils-2.5-123.0.1.el5_11.1.x86_64.rpm
nscd-2.5-123.0.1.el5_11.1.x86_64.rpm
#漏洞補丁包:
http://public-yum.oracle.com/repo/OracleLinux/OL5/latest/x86_64/.
#漏洞修補準備:
[root@localhost ~]# mkdir 20150227
[root@localhost ~]# cd 20150227/
/root/20150227
[root@localhost 20150227]# rpm -qa --queryformat="%{name}-%{version}-%{release}.%{arch}\n" | egrep 'glibc|nscd' > bak1
#檢測作業系統是否有漏洞:
[root@localhost 20150227]# uname -r
2.6.18-274.el5
[root@localhost 20150227]# sh check.sh
Vulnerable glibc version <= 2.17-54
Vulnerable glibc version <= 2.5-122
Vulnerable glibc version <= 2.12-1.148
Detected glibc version 2.5 revision 65
This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235>
Update the glibc and ncsd packages on your system using the packages released with the following:
yum install glibc
[root@localhost 20150227]#
#上傳補丁
[root@localhost 20150227]# mkdir /tmp/glibc-update
[root@localhost 20150227]# cd /tmp/glibc-update
[root@localhost glibc-update]# ll
-rw-r--r-- 1 root root 5647080 Feb 27 2015 glibc-2.5-123.0.1.el5_11.1.i686.rpm
-rw-r--r-- 1 root root 5007817 Feb 27 2015 glibc-2.5-123.0.1.el5_11.1.x86_64.rpm
-rw-r--r-- 1 root root 17291271 Feb 27 2015 glibc-common-2.5-123.0.1.el5_11.1.x86_64.rpm
-rw-r--r-- 1 root root 2164300 Feb 27 2015 glibc-devel-2.5-123.0.1.el5_11.1.i386.rpm
-rw-r--r-- 1 root root 2547507 Feb 27 2015 glibc-devel-2.5-123.0.1.el5_11.1.x86_64.rpm
-rw-r--r-- 1 root root 616895 Feb 27 2015 glibc-headers-2.5-123.0.1.el5_11.1.x86_64.rpm
-rw-r--r-- 1 root root 143204 Feb 27 2015 glibc-utils-2.5-123.0.1.el5_11.1.x86_64.rpm
-rw-r--r-- 1 root root 182696 Feb 27 2015 nscd-2.5-123.0.1.el5_11.1.x86_64.rpm
#關閉相關服務Steps to power down or reboot a cell without affecting ASM:Note 1188080.1
1) By default, ASM drops a disk shortly after it is taken offline; however, you can set the DISK_REPAIR_TIME attribute to prevent this operation by specifying a time
interval to repair the disk and bring it back online. The default DISK_REPAIR_TIME attribute value of 3.6h should be adequate for most environments
(a)To check repair times for all mounted disk groups - log into the ASM instance and perform the following query:
SQL> select dg.name,a.value from v$asm_diskgroupdg, v$asm_attribute a where dg.group_number=a.group_number and a.name='disk_repair_time';
(b)If you need to offline the ASM disks for more than the default time of 3.6 hours then adjust the parameter by issuing the command below as an example:
SQL> ALTER DISKGROUP DATA SET ATTRIBUTE 'DISK_REPAIR_TIME'='8.5H';
2) Next you will need to check if ASM will be OK if the grid disks go OFFLINE. The following command should return 'Yes' for the grid disks being listed:
cellcli -e list griddisk attributes name,asmmodestatus,asmdeactivationoutcome
cellcli -e alter griddisk all inactive
cellcli -e list griddisk attributes name where asmdeactivationoutcome != 'Yes'
[root@localhost glibc-update]# rpm -Fvh /tmp/glibc-update/*rpm
warning: /tmp/glibc-update/glibc-2.5-123.0.1.el5_11.1.i686.rpm: Header V3 DSA signature: NOKEY, key ID 1e5e0159
Preparing... ########################################### [100%]
1:glibc-common ########################################### [ 14%]
2:glibc ########################################### [ 29%]
3:nscd ########################################### [ 43%]
4:glibc-headers ########################################### [ 57%]
5:glibc-devel ########################################### [ 71%]
6:glibc ########################################### [ 86%]
7:glibc-devel ########################################### [100%]
# check.sh 該檔案見最下:
[root@localhost 20150227]# sh check.sh
Vulnerable glibc version <= 2.17-54
Vulnerable glibc version <= 2.5-122
Vulnerable glibc version <= 2.12-1.148
Detected glibc version 2.5 revision 123
Not Vulnerable.
[root@localhost 20150227]# cellcli
CellCLI: Release 11.2.3.2.0 - Production on Fri Feb 27 09:31:29 CST 2015
Copyright (c) 2007, 2012, Oracle. All rights reserved.
Cell Efficiency Ratio: 1,000
CellCLI> alter cell shutdown services all
Stopping the RS, CELLSRV, and MS services...
The SHUTDOWN of services was successful.
[root@localhost 20150227]# shutdown -r -y now
Broadcast message from root (pts/2) (Fri Feb 27 09:33:06 2015):
The system is going down for reboot NOW!
[root@localhost 20150227]#
注意:打好補丁後必須立即重啟作業系統,否則可能會造成應用業務無法使用。
[root@localhost 20150227]# cellcli
CellCLI: Release 11.2.3.2.0 - Production on Fri Feb 27 09:38:06 CST 2015
Copyright (c) 2007, 2012, Oracle. All rights reserved.
Cell Efficiency Ratio: 1,000
CellCLI> alter cell startup services all
Starting the RS, CELLSRV, and MS services...
Getting the state of RS services... running
Starting CELLSRV services...
The STARTUP of CELLSRV services was successful.
Starting MS services...
The STARTUP of MS services was successful.
CellCLI> list cell
localhost online
CellCLI> list cell detail
name: localhost
bbuTempThreshold: 60
bbuChargeThreshold: 800
bmcType: absent
cellVersion: OSS_11.2.3.2.0_LINUX.X64_120713
cpuCount: 0
diagHistoryDays: 7
fanCount: 1/1
fanStatus: normal
flashCacheMode: WriteThrough
id: 029e8a73-bcc2-4759-bed1-c596778dbca8
interconnectCount: 0
iormBoost: 0.0
ipaddress1: 192.168.175.138/24
kernelVersion: 2.6.18-274.el5
makeModel: Fake hardware
metricHistoryDays: 7
offloadEfficiency: 1,000.0
powerCount: 1/1
powerStatus: normal
releaseVersion: 11.2.3.2.0
releaseTrackingBug: 14212264
status: online
temperatureReading: 0.0
temperatureStatus: normal
upTime: 0 days, 0:00
cellsrvStatus: running
msStatus: running
rsStatus: running
CellCLI> list griddisk
date_CD_disk01_localhost inactive
date_CD_disk02_localhost inactive
date_CD_disk03_localhost inactive
date_CD_disk04_localhost inactive
date_CD_disk05_localhost inactive
date_CD_disk06_localhost inactive
CellCLI> alter griddisk all active
GridDisk date_CD_disk01_localhost successfully altered
GridDisk date_CD_disk02_localhost successfully altered
GridDisk date_CD_disk03_localhost successfully altered
GridDisk date_CD_disk04_localhost successfully altered
GridDisk date_CD_disk05_localhost successfully altered
GridDisk date_CD_disk06_localhost successfully altered
CellCLI> list griddisk
date_CD_disk01_localhost active
date_CD_disk02_localhost active
date_CD_disk03_localhost active
date_CD_disk04_localhost active
date_CD_disk05_localhost active
date_CD_disk06_localhost active
CellCLI>
#####################################################################################################################################
If a rollback is required, it should be done with Oracle Support guidance via an SR.
The information gathered in step 1 above should be provided to the SR.
對於一體機的補丁,如果打補丁失敗,需要求助sr:
註:
建議使用make_cellboot_usb建立應急鏡像。cd /opt/oracle.SupportTools ./make_cellboot_usb
如果CELL 安裝失敗,可以使用USB快閃記憶體磁碟機的備份來恢複:不過這方面實驗無法類比需要其他技術人員支援。一體機(x2-2)升級需要時間保守估計6~12小時。
對於linux 其他資料庫伺服器,直接安裝系統補丁重啟系統就可以了。普通資料庫程式庫伺服器補丁需要1小時左右。
[root@localhost 20150227]# more check.sh
#!/bin/bash
vercomp () {
if [[ $1 == $2 ]]
then
return 0
fi
local IFS=.
local i ver1=($1) ver2=($2)
# fill empty fields in ver1 with zeros
for ((i=${#ver1[@]}; i<${#ver2[@]}; i++))
do
ver1[i]=0
done
for ((i=0; i<${#ver1[@]}; i++))
do
if [[ -z ${ver2[i]} ]]
then
# fill empty fields in ver2 with zeros
ver2[i]=0
fi
if ((10#${ver1[i]} > 10#${ver2[i]}))
then
return 1
fi
if ((10#${ver1[i]} < 10#${ver2[i]}))
then
return 2
fi
done
return 0
}
glibc_vulnerable_version=2.17
glibc_vulnerable_revision=54
glibc_vulnerable_version2=2.5
glibc_vulnerable_revision2=122
glibc_vulnerable_version3=2.12
glibc_vulnerable_revision3=148
echo "Vulnerable glibc version <=" $glibc_vulnerable_version"-"$glibc_vulnerable_revision
echo "Vulnerable glibc version <=" $glibc_vulnerable_version2"-"$glibc_vulnerable_revision2
echo "Vulnerable glibc version <=" $glibc_vulnerable_version3"-1."$glibc_vulnerable_revision3
glibc_version=$(rpm -q glibc | awk -F"[-.]" '{print $2"."$3}' | sort -u)
if [[ $glibc_version == $glibc_vulnerable_version3 ]]
then
glibc_revision=$(rpm -q glibc | awk -F"[-.]" '{print $5}' | sort -u)
else
glibc_revision=$(rpm -q glibc | awk -F"[-.]" '{print $4}' | sort -u)
fi
echo "Detected glibc version" $glibc_version" revision "$glibc_revision
vulnerable_text=$"This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235>
Update the glibc and ncsd packages on your system using the packages released with the following:
yum install glibc"
if [[ $glibc_version == $glibc_vulnerable_version ]]
then
vercomp $glibc_vulnerable_revision $glibc_revision
elif [[ $glibc_version == $glibc_vulnerable_version2 ]]
then
vercomp $glibc_vulnerable_revision2 $glibc_revision
elif [[ $glibc_version == $glibc_vulnerable_version3 ]]
then
vercomp $glibc_vulnerable_revision3 $glibc_revision
else
vercomp $glibc_vulnerable_version $glibc_version
fi
case $? in
0) echo "$vulnerable_text";;
1) echo "$vulnerable_text";;
2) echo "Not Vulnerable.";;
esac
##########################################################################################################################
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
