一体机&linux 服务器漏洞分析修补!LINUX: 5.X 64 cell storage: 11.2.3.1.1
#漏洞需要的补丁包:
glibc-2.5-123.0.1.el5_11.1.i686.rpm
glibc-2.5-123.0.1.el5_11.1.x86_64.rpm
glibc-common-2.5-123.0.1.el5_11.1.x86_64.rpm
glibc-devel-2.5-123.0.1.el5_11.1.i386.rpm
glibc-devel-2.5-123.0.1.el5_11.1.x86_64.rpm
glibc-headers-2.5-123.0.1.el5_11.1.x86_64.rpm
glibc-utils-2.5-123.0.1.el5_11.1.x86_64.rpm
nscd-2.5-123.0.1.el5_11.1.x86_64.rpm
#漏洞补丁包下载地址:
http://public-yum.oracle.com/repo/OracleLinux/OL5/latest/x86_64/.
#漏洞修补准备:
[[email protected] ~]# mkdir 20150227
[[email protected] ~]# cd 20150227/
/root/20150227
[[email protected] 20150227]# rpm -qa --queryformat="%{name}-%{version}-%{release}.%{arch}\n" | egrep ‘glibc|nscd‘ > bak1
#检测操作系统是否有漏洞:
[[email protected] 20150227]# uname -r
2.6.18-274.el5
[[email protected] 20150227]# sh check.sh
Vulnerable glibc version <= 2.17-54
Vulnerable glibc version <= 2.5-122
Vulnerable glibc version <= 2.12-1.148
Detected glibc version 2.5 revision 65
This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235>
Update the glibc and ncsd packages on your system using the packages released with the following:
yum install glibc
[[email protected] 20150227]#
#上传补丁
[[email protected] 20150227]# mkdir /tmp/glibc-update
[[email protected] 20150227]# cd /tmp/glibc-update
[[email protected] glibc-update]# ll
-rw-r--r-- 1 root root 5647080 Feb 27 2015 glibc-2.5-123.0.1.el5_11.1.i686.rpm
-rw-r--r-- 1 root root 5007817 Feb 27 2015 glibc-2.5-123.0.1.el5_11.1.x86_64.rpm
-rw-r--r-- 1 root root 17291271 Feb 27 2015 glibc-common-2.5-123.0.1.el5_11.1.x86_64.rpm
-rw-r--r-- 1 root root 2164300 Feb 27 2015 glibc-devel-2.5-123.0.1.el5_11.1.i386.rpm
-rw-r--r-- 1 root root 2547507 Feb 27 2015 glibc-devel-2.5-123.0.1.el5_11.1.x86_64.rpm
-rw-r--r-- 1 root root 616895 Feb 27 2015 glibc-headers-2.5-123.0.1.el5_11.1.x86_64.rpm
-rw-r--r-- 1 root root 143204 Feb 27 2015 glibc-utils-2.5-123.0.1.el5_11.1.x86_64.rpm
-rw-r--r-- 1 root root 182696 Feb 27 2015 nscd-2.5-123.0.1.el5_11.1.x86_64.rpm
#关闭相关服务Steps to power down or reboot a cell without affecting ASM:Note 1188080.1
1) By default, ASM drops a disk shortly after it is taken offline; however, you can set the DISK_REPAIR_TIME attribute to prevent this operation by specifying a time
interval to repair the disk and bring it back online. The default DISK_REPAIR_TIME attribute value of 3.6h should be adequate for most environments
(a)To check repair times for all mounted disk groups - log into the ASM instance and perform the following query:
SQL> select dg.name,a.value from v$asm_diskgroupdg, v$asm_attribute a where dg.group_number=a.group_number and a.name=‘disk_repair_time‘;
(b)If you need to offline the ASM disks for more than the default time of 3.6 hours then adjust the parameter by issuing the command below as an example:
SQL> ALTER DISKGROUP DATA SET ATTRIBUTE ‘DISK_REPAIR_TIME‘=‘8.5H‘;
2) Next you will need to check if ASM will be OK if the grid disks go OFFLINE. The following command should return ‘Yes‘ for the grid disks being listed:
cellcli -e list griddisk attributes name,asmmodestatus,asmdeactivationoutcome
cellcli -e alter griddisk all inactive
cellcli -e list griddisk attributes name where asmdeactivationoutcome != ‘Yes‘
[[email protected] glibc-update]# rpm -Fvh /tmp/glibc-update/*rpm
warning: /tmp/glibc-update/glibc-2.5-123.0.1.el5_11.1.i686.rpm: Header V3 DSA signature: NOKEY, key ID 1e5e0159
Preparing... ########################################### [100%]
1:glibc-common ########################################### [ 14%]
2:glibc ########################################### [ 29%]
3:nscd ########################################### [ 43%]
4:glibc-headers ########################################### [ 57%]
5:glibc-devel ########################################### [ 71%]
6:glibc ########################################### [ 86%]
7:glibc-devel ########################################### [100%]
# check.sh 该文件见最下:
[[email protected] 20150227]# sh check.sh
Vulnerable glibc version <= 2.17-54
Vulnerable glibc version <= 2.5-122
Vulnerable glibc version <= 2.12-1.148
Detected glibc version 2.5 revision 123
Not Vulnerable.
[[email protected] 20150227]# cellcli
CellCLI: Release 11.2.3.2.0 - Production on Fri Feb 27 09:31:29 CST 2015
Copyright (c) 2007, 2012, Oracle. All rights reserved.
Cell Efficiency Ratio: 1,000
CellCLI> alter cell shutdown services all
Stopping the RS, CELLSRV, and MS services...
The SHUTDOWN of services was successful.
[[email protected] 20150227]# shutdown -r -y now
Broadcast message from root (pts/2) (Fri Feb 27 09:33:06 2015):
The system is going down for reboot NOW!
[[email protected] 20150227]#
注意:打好补丁后必须立即重启操作系统,否则可能会造成应用业务无法使用。
[[email protected] 20150227]# cellcli
CellCLI: Release 11.2.3.2.0 - Production on Fri Feb 27 09:38:06 CST 2015
Copyright (c) 2007, 2012, Oracle. All rights reserved.
Cell Efficiency Ratio: 1,000
CellCLI> alter cell startup services all
Starting the RS, CELLSRV, and MS services...
Getting the state of RS services... running
Starting CELLSRV services...
The STARTUP of CELLSRV services was successful.
Starting MS services...
The STARTUP of MS services was successful.
CellCLI> list cell
localhost online
CellCLI> list cell detail
name: localhost
bbuTempThreshold: 60
bbuChargeThreshold: 800
bmcType: absent
cellVersion: OSS_11.2.3.2.0_LINUX.X64_120713
cpuCount: 0
diagHistoryDays: 7
fanCount: 1/1
fanStatus: normal
flashCacheMode: WriteThrough
id: 029e8a73-bcc2-4759-bed1-c596778dbca8
interconnectCount: 0
iormBoost: 0.0
ipaddress1: 192.168.175.138/24
kernelVersion: 2.6.18-274.el5
makeModel: Fake hardware
metricHistoryDays: 7
offloadEfficiency: 1,000.0
powerCount: 1/1
powerStatus: normal
releaseVersion: 11.2.3.2.0
releaseTrackingBug: 14212264
status: online
temperatureReading: 0.0
temperatureStatus: normal
upTime: 0 days, 0:00
cellsrvStatus: running
msStatus: running
rsStatus: running
CellCLI> list griddisk
date_CD_disk01_localhost inactive
date_CD_disk02_localhost inactive
date_CD_disk03_localhost inactive
date_CD_disk04_localhost inactive
date_CD_disk05_localhost inactive
date_CD_disk06_localhost inactive
CellCLI> alter griddisk all active
GridDisk date_CD_disk01_localhost successfully altered
GridDisk date_CD_disk02_localhost successfully altered
GridDisk date_CD_disk03_localhost successfully altered
GridDisk date_CD_disk04_localhost successfully altered
GridDisk date_CD_disk05_localhost successfully altered
GridDisk date_CD_disk06_localhost successfully altered
CellCLI> list griddisk
date_CD_disk01_localhost active
date_CD_disk02_localhost active
date_CD_disk03_localhost active
date_CD_disk04_localhost active
date_CD_disk05_localhost active
date_CD_disk06_localhost active
CellCLI>
#####################################################################################################################################
If a rollback is required, it should be done with Oracle Support guidance via an SR.
The information gathered in step 1 above should be provided to the SR.
对于一体机的补丁,如果打补丁失败,需要求助sr:
注:
建议使用make_cellboot_usb创建应急镜像。cd /opt/oracle.SupportTools ./make_cellboot_usb
如果CELL 安装失败,可以使用USB闪存驱动器的备份来恢复:不过这方面实验无法模拟需要其他技术人员支持。一体机(x2-2)升级需要时间保守估计6~12小时。
对于linux 其他数据库服务器,直接安装系统补丁重启系统就可以了。普通数据库库服务器补丁需要1小时左右。
[[email protected] 20150227]# more check.sh
#!/bin/bash
vercomp () {
if [[ $1 == $2 ]]
then
return 0
fi
local IFS=.
local i ver1=($1) ver2=($2)
# fill empty fields in ver1 with zeros
for ((i=${#ver1[@]}; i<${#ver2[@]}; i++))
do
ver1[i]=0
done
for ((i=0; i<${#ver1[@]}; i++))
do
if [[ -z ${ver2[i]} ]]
then
# fill empty fields in ver2 with zeros
ver2[i]=0
fi
if ((10#${ver1[i]} > 10#${ver2[i]}))
then
return 1
fi
if ((10#${ver1[i]} < 10#${ver2[i]}))
then
return 2
fi
done
return 0
}
glibc_vulnerable_version=2.17
glibc_vulnerable_revision=54
glibc_vulnerable_version2=2.5
glibc_vulnerable_revision2=122
glibc_vulnerable_version3=2.12
glibc_vulnerable_revision3=148
echo "Vulnerable glibc version <=" $glibc_vulnerable_version"-"$glibc_vulnerable_revision
echo "Vulnerable glibc version <=" $glibc_vulnerable_version2"-"$glibc_vulnerable_revision2
echo "Vulnerable glibc version <=" $glibc_vulnerable_version3"-1."$glibc_vulnerable_revision3
glibc_version=$(rpm -q glibc | awk -F"[-.]" ‘{print $2"."$3}‘ | sort -u)
if [[ $glibc_version == $glibc_vulnerable_version3 ]]
then
glibc_revision=$(rpm -q glibc | awk -F"[-.]" ‘{print $5}‘ | sort -u)
else
glibc_revision=$(rpm -q glibc | awk -F"[-.]" ‘{print $4}‘ | sort -u)
fi
echo "Detected glibc version" $glibc_version" revision "$glibc_revision
vulnerable_text=$"This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235>
Update the glibc and ncsd packages on your system using the packages released with the following:
yum install glibc"
if [[ $glibc_version == $glibc_vulnerable_version ]]
then
vercomp $glibc_vulnerable_revision $glibc_revision
elif [[ $glibc_version == $glibc_vulnerable_version2 ]]
then
vercomp $glibc_vulnerable_revision2 $glibc_revision
elif [[ $glibc_version == $glibc_vulnerable_version3 ]]
then
vercomp $glibc_vulnerable_revision3 $glibc_revision
else
vercomp $glibc_vulnerable_version $glibc_version
fi
case $? in
0) echo "$vulnerable_text";;
1) echo "$vulnerable_text";;
2) echo "Not Vulnerable.";;
esac
##########################################################################################################################