| Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback |
| Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition | ||
|
|
||
 |
||||||||||||||||||||||||||||||||
Solution Type Predictive Self-Healing Sure Solution 1683606.1 : CVE-2014-0224 Patch Availability Document for Oracle Big Data Appliance
In this Document
Applies to:Big Data Appliance Hardware - Version All Versions and laterBig Data Appliance Integrated Software - Version 2.1.0 to 4.0 [Release 2.1 to 4.0] Linux x86-64 PurposeThis document provides details about affected versions of Oracle Big Data Appliance(BDA) and instructions on how to update OEL with OpenSSL rpms outside of Big Data Appliance updates. ScopeThis document applies to Oracle Big Data Appliance(BDA) DetailsOracle has released the following El-errata related to OpenSSL: https://oss.oracle.com/pipermail/el-errata/2014-June/004170.html Affected BDA ReleasesAll current releases of BDA V2.* to V2.5 and v3.0.* to V3.0.1 are affected by CVE-2014-0224 vulnerability. Instructions to check BDA Release and OS VersionThese steps are the same for HDFS or NoSQL Cluster installed on BDA 1) Log into Node01 of the BDA cluster as root user 2) Check BDA image and OS details by executing imageinfo command a) Sample output for BDA 2.* with OEL6 OS # imageinfo
Big Data Appliance Image Info
IMAGE_VERSION : 2.*.0 IMAGE_CREATION_DATE : Thu Mar 20 21:14:56 UTC 2014 IMAGE_LABEL : BDA_2.*.0_LINUX.X64_RELEASE LINUX_VERSION : Oracle Linux Server release 6.4 KERNEL_VERSION : 2.6.39-400.209.1.el6uek.x86_64 BDA_RPM_VERSION : bda-2.*.0-1.el6.x86_64 OFED_VERSION : OFED-IOV-1.5.5-2.0.0088 JDK_VERSION : jdk-1.7.0_25-fcs.x86_64 OR b) Sample output for BDA 2.* with OEL5 OS # imageinfo Big Data Appliance Image Info
IMAGE_VERSION : 2.*.0 IMAGE_CREATION_DATE : Mon Nov 18 14:01:20 PST 2013 IMAGE_LABEL : BDA_2.*.1_LINUX.X64_RELEASE IMAGE_VERSION : 2.*.1 LINUX_VERSION : Oracle Linux Server release 5.8 KERNEL_VERSION : 2.6.32-200.21.1.el5uek BDA_RPM_VERSION : bda-2.*.1-1 OFED_VERSION : OFED-IOV-1.5.5-1.0.0120 JDK_VERSION : jdk-1.7.0_25-fcs 3) Check the version of openssl rpm installed. dcli can used to check the openssl rpm release on all nodes in the cluster # rpm -qa | grep -i '^openssl'
Note:- dcli can be used to check the openssl rpm release on all nodes in the cluster dcli -C "rpm -qa | grep -i '^openssl'"
a) Sample output from OEL6 OS # dcli -C "rpm -qa | grep -i '^openssl'"
<private-ip of node>: openssl-1.0.1e-16.el6_5.7.x86_64
<private-ip of node>: openssl098e-0.9.8e-17.0.1.el6_2.2.x86_64 ... OR b) Sample output from OEL5 OS # dcli -C 'rpm -qa --qf "%{n}-%{v}-%{r}.%{arch}\n" | grep "^openssl"'
<private-ip of node>: openssl-0.9.8e-22.el5_8.4.i686
<private-ip of node>: openssl-0.9.8e-22.el5_8.4.x86_64 ......... Note:- Package versions earlier then the package versions shown below are affected Download and Install Latest version of OpenSSL rpm in OELDownload Latest patched version of OpenSSLLatest openssl-<version>.rpm can be downloaded from For OEL5, the latest openssl rpms that contain the fix for CVE-2014-0224 vulnerability are .... Upgrade OpenSSL on BDA ClusterThese steps are the same for a HDFS or NoSQL Cluster installed on BDA. Note:- If more than one cluster is installed on a rack, then please execute below steps on all clusters in the rack . 1) Log into Node01 of the BDA cluster as root user 2) Depending on the OS on BDA, copy the needed OEL5 or OEL6 rpm's to node01 into /tmp a) Sample output from BDA Cluster with OEL6 OS # ls -l /tmp/openssl*
-rw-r--r-- 1 root root 779168 Jun 17 15:37 /tmp/openssl098e-0.9.8e-18.0.1.el6_5.2.x86_64.rpm
-rw-r--r-- 1 root root 1578748 Jun 17 15:37 /tmp/openssl-1.0.1e-16.el6_5.14.x86_64.rpm OR b) Sample output from BDA Cluster with OEL5 OS # ls -l /tmp/openssl*
-rw-r--r-- 1 root root 1524948 Jun 17 15:37 /tmp/openssl-0.9.8e-27.el5_10.3.i686.rpm
-rw-r--r-- 1 root root 1525580 Jun 17 15:37 /tmp/openssl-0.9.8e-27.el5_10.3.x86_64.rpm 3) Use dcli to copy the ssl rpm to all nodes in the cluster a) Commands for OEL6 OS dcli -C mkdir /root/rpms
dcli -C ls -ld /root/rpms dcli -C -f /tmp/openssl098e-0.9.8e-18.0.1.el6_5.2.x86_64.rpm -d /root/rpms/ dcli -C -f /tmp/openssl-1.0.1e-16.el6_5.14.x86_64.rpm -d /root/rpms/ dcli -C ls -l /root/rpms Sample output from BDA Cluster with OEL6 OS # dcli -C mkdir /root/rpms
# dcli -C ls -ld /root/rpms <private-ip of node>: drwxr-xr-x 2 root root 4096 Jun 17 15:40 /root/rpms ..... # dcli -C -f /tmp/openssl098e-0.9.8e-18.0.1.el6_5.2.x86_64.rpm -d /root/rpms/ # dcli -C -f /tmp/openssl-1.0.1e-16.el6_5.14.x86_64.rpm -d /root/rpms/ # dcli -C ls -l /root/rpms <private-ip of node>: total 2308 <private-ip of node>: -rw-r--r-- 1 root root 779168 Jun 17 15:53 openssl098e-0.9.8e-18.0.1.el6_5.2.x86_64.rpm <private-ip of node>: -rw-r--r-- 1 root root 1578748 Jun 17 15:53 openssl-1.0.1e-16.el6_5.14.x86_64.rpm ............................... OR b) Commands for OEL5 OS dcli -C mkdir /root/rpms
dcli -C ls -ld /root/rpms dcli -C -f /tmp/openssl-0.9.8e-27.el5_10.3.i686.rpm -d /root/rpms/ dcli -C -f /tmp/openssl-0.9.8e-27.el5_10.3.x86_64.rpm -d /root/rpms/ dcli -C ls -l /root/rpms Sample output from BDA Cluster with OEL5 OS # dcli -C mkdir /root/rpms
# dcli -C ls -ld /root/rpms <private-ip of node>: drwxr-xr-x 2 root root 4096 Jun 17 17:14 /root/rpms ..... # dcli -C -f /tmp/openssl-0.9.8e-27.el5_10.3.i686.rpm -d /root/rpms/ # dcli -C -f /tmp/openssl-0.9.8e-27.el5_10.3.x86_64.rpm -d /root/rpms/ # dcli -C ls -l /root/rpms <private-ip of node>: total 2992 <private-ip of node>: -rw-r--r-- 1 root root 1524948 Jun 17 17:15 openssl-0.9.8e-27.el5_10.3.i686.rpm <private-ip of node>: -rw-r--r-- 1 root root 1525580 Jun 17 17:15 openssl-0.9.8e-27.el5_10.3.x86_64.rpm ............................... 4) Upgrade the ssl rpm on all the nodes in the cluster a) Commands for OEL6 OS dcli -C rpm -Uvh /root/rpms/openssl-1.0.1e-16.el6_5.14.x86_64.rpm /root/rpms/openssl098e-0.9.8e-18.0.1.el6_5.2.x86_64.rpm
Sample output <private-ip of node>: Preparing... ##################################################
<private-ip of node>: openssl ################################################## <private-ip of node>: openssl098e ################################################## ......... OR b) Commands for OEL5 OS dcli -C rpm -Uvh /root/rpms/openssl-0.9.8e-22.el5_8.4.i686 /root/rpms/openssl-0.9.8e-22.el5_8.4.x86_64
Sample output <private-ip of node>: Preparing... ##################################################
<private-ip of node>: openssl ################################################## <private-ip of node>: openssl ################################################## ......... Note:- Below warning maybe thrown during upgrade of openssl rpm on OEL5 . These warnings are harmless and can be ignored. warning: /etc/pki/tls/certs/ca-bundle.crt created as /etc/pki/tls/certs/ca-bundle.crt.rpmnew
Post RPM Upgrade StepsVerify Openssl VersionCheck if the openssl rpm is updated correctly a) Output for OEL6 OS # dcli -C "rpm -qa | grep -i '^openssl'"
<private-ip of node>: openssl-1.0.1e-16.el6_5.14.x86_64
<private-ip of node>: openssl098e-0.9.8e-17.0.1.el6_2.2.x86_64 ... OR b) Output for OEL5 OS # dcli -C 'rpm -qa --qf "%{n}-%{v}-%{r}.%{arch}\n" | grep "^openssl"' <private-ip of node>: openssl-0.9.8e-27.el5_10.3.i686
<private-ip of node>: openssl-0.9.8e-27.el5_10.3.x86_64 ... Hdfs Cluster RestartIf network encryption is enabled on the HDFS cluster or for any services on the HDFS cluster then the cluster (or those particular services) should be restarted. To restart the HDFS cluster or a particular service/s follow below steps 1) Log into Cloudera Manager(CM) UI as admin user CM resides on node03 of the primary rack and can be accessed using http://<node3-name>:7180 2) Start the BDA cluster or just the services needed a) To restart 'All Services' or the complete cluster Services > All Services > Actions > ReStart b) To restart a specific service Services > All Services > Choose the Service to restart Attachments This solution has no attachment |
||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||