| Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback |
| Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition | ||
|
|
||
 |
||||||||||||||||||||||||||||||||||
Solution Type Predictive Self-Healing Sure Solution 1662966.1 : CVE-2014-0160 ("Heartbleed") Patch Availability Document for Oracle Big Data Appliance
In this Document
Applies to:Big Data Appliance Integrated Software - Version 2.5.0 to 2.5.0 [Release 2.5]Big Data Appliance Hardware - Version Not Applicable and later Linux x86-64 PurposeThis document provides details about affected versions of Oracle Big Data Appliance(BDA) and the required steps to resolve issues related to CVE-2014-0160. ScopeThis document applies to Oracle Big Data Appliance(BDA) DetailsOracle’s security and development teams are aware of the CVE-2014-0160 Heartbleed vulnerability, which was reported to affect certain versions of OpenSSL. Oracle is investigating the implications of this issue across the Oracle stack and the company has published on OTN about this issue. Affected BDA ReleasesBDA v2.5.0 release of image and mammoth on Oracle Linux 6 (both new installs or upgrade) downloaded prior to '15-Apr-2014' are affected as they include openssl 1.0.1e (from Oracle Linux 6.5) which is vulnerable. Currently on My Oracle Support(MOS) the available BDA v2.50 image and bundles are the corrected bundles include the latest openssl-1.0.1e-16.el6_5.7.x86_64 rpm which contains fix for CVE-2014-0160 Heartbleed vulnerability. BDA v2.5.0 deployments (installs or upgrades ) on Oracle Linux 5 are NOT affected. For links to the latest BDA 2.5 Image and Mammoth Bundles for Oracle Big Data Appliance and for more recent versions, please refer to Doc ID 1485745.1 BDA v2.4.0 and previous Oracle Linux 6 BDA Base Image releases include openssl 1.0.0 (from Oracle Linux 6.4) which is NOT vulnerable. All later releases of BDA including v3.0.0 are NOT affected by CVE-2014-0160 Heartbleed vulnerability. Instructions to check if your BDA Release is AffectedThese steps are the same for HDFS or NoSQL Cluster installed on BDA 1) Log into Node01 of the BDA cluster as root user 2) Check image details # imageinfo
Big Data Appliance Image Info
IMAGE_VERSION : 2.5.0 IMAGE_CREATION_DATE : Thu Mar 20 21:14:56 UTC 2014 IMAGE_LABEL : BDA_2.5.0_LINUX.X64_RELEASE LINUX_VERSION : Oracle Linux Server release 6.4 KERNEL_VERSION : 2.6.39-400.209.1.el6uek.x86_64 BDA_RPM_VERSION : bda-2.5.0-1.el6.x86_64 OFED_VERSION : OFED-IOV-1.5.5-2.0.0088 JDK_VERSION : jdk-1.7.0_25-fcs.x86_64 3) Check the version of openssl rpm installed. dcli can used to check the openssl rpm release on all nodes in the cluster # rpm -q openssl
openssl-1.0.1e-16.el6_5.4.x86_64
Version 1.0.1e-16.el6_5.4 is impacted. Note:- dcli can be used to check the openssl rpm release on all nodes in the cluster dcli -C rpm -q openssl
Instruction to Resolve CVE-2014-0160Once confirmed 1.0.1e-16.el6_5.4 is installed on the BDA cluster, please follow below steps to resolve CVE-2014-0160 Heartbleed vulnerability. Download Latest patched version of OpenSSLopenssl-1.0.1e-16.el6_5.7.x86_64.rpm is attached to this document. Click here to download. Also openssl-1.0.1e-16.el6_5.7.x86_64.rpm can be downloaded from Upgrade OpenSSL on BDA ClusterThese steps are the same for a HDFS or NoSQL Cluster installed on BDA. Note:- If more than one cluster is installed on a rack, then please execute below steps on all clusters in the rack . 1) Log into Node01 of the BDA cluster as root user 2) Copy openssl-1.0.1e-16.el6_5.7.x86_64.rpm to node01 into /tmp # ls -l /tmp/openssl*
-rw-r--r-- 1 root root 1578076 Apr 18 10:29 /tmp/openssl-1.0.1e-16.el6_5.7.x86_64.rpm
3) Use dcli to copy the ssl rpm to all nodes in the cluster dcli -C mkdir /root/rpms
dcli -C -f /tmp/openssl-1.0.1e-16.el6_5.7.x86_64.rpm -d /root/rpms/openssl-1.0.1e-16.el6_5.7.x86_64.rpm Sample output # dcli -C mkdir /root/rpms
# dcli -C ls -ld /root/rpms <private-ip of node>: drwxr-xr-x 2 root root 4096 Apr 18 12:53 /root/rpms ..... # dcli -C -f /tmp/openssl-1.0.1e-16.el6_5.7.x86_64.rpm -d /root/rpms/openssl-1.0.1e-16.el6_5.7.x86_64.rpm # dcli -C ls -l /root/rpms <private-ip of node>: total 1544 <private-ip of node>: -rw-r--r-- 1 root root 1578076 Apr 18 12:54 openssl-1.0.1e-16.el6_5.7.x86_64.rpm 4) Upgrade the ssl rpm on all the nodes in the cluster dcli -C rpm -Uvh /root/rpms/openssl-1.0.1e-16.el6_5.7.x86_64.rpm
Sample output <private-ip of node>: Preparing... ##################################################
<private-ip of node>: openssl ################################################## ......... Post Installation StepsVerify Openssl VersionCheck if the openssl rpm is updated correctly # dcli -C rpm -q openssl
<private-ip of node>: openssl-1.0.1e-16.el6_5.7.x86_64
... Version 1.0.1e-16.el6_5.7 is the latest which has fix for CVE-2014-0160 Heartbleed vulnerability. Hdfs Cluster RestartIf network encryption is enabled on the HDFS cluster or for any services on the HDFS cluster then the cluster (or those particular services) should be restarted. To restart the HDFS cluster or a particular service/s follow below steps 1) Log into Cloudera Manager(CM) UI as admin user CM resides on node03 of the primary rack and can be accessed using http://<node3-name>:7180 2) Start the BDA cluster or just the services needed a) To restart 'All Services' or the complete cluster Services > All Services > Actions > ReStart b) To restart a specific service Services > All Services > Choose the Service to restart Attachments This solution has no attachment |
||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||