| Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback |
| Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition | ||
|
|
||
 |
||||||||||||||||||||||||||||||||||||||||
Solution Type Predictive Self-Healing Sure Solution 1930758.1 : CVE-2014-7169 and CVE-2014-6271 Patch Availability Document for Oracle Big Data Appliance
In this Document
Applies to:Big Data Appliance Integrated Software - Version 2.2.1 to 4.0 [Release 2.2 to 4.0]Big Data Appliance Hardware - Version All Versions and later Linux x86-64 PurposeThis document provides details about affected versions of Oracle Big Data Appliance(BDA) by GNU Bash vulnerability and instructions on how to update Oracle Linux(OL) with bash rpms outside of Oracle Big Data Appliance(BDA) updates. ScopeThis document applies to Oracle Big Data Appliance(BDA) release. DetailsOracle has released El-errata related to publicly disclosed vulnerability affecting GNU Bash. For more details about GNU Bash vulnerability please refer to http://www.oracle.com/technetwork/topics/security/alert-cve-2014-7169-2303276.html . El-errata released by Oracle are https://oss.oracle.com/pipermail/el-errata/2014-September/004486.html https://oss.oracle.com/pipermail/el-errata/2014-September/004485.html Affected BDA ReleasesAll current releases of BDA V2.* to V2.6 , v3.0.* to V3.1 and v4.0 are affected by CVE-2014-7169, CVE-2014-6271, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278 vulnerabilities. Instructions to check BDA Release and OS VersionThese steps are the same for HDFS or NoSQL Cluster installed on BDA 1) Log into Node01 of the BDA cluster as root user 2) Check BDA image and OS details by executing imageinfo command a) Sample output for BDA 4.* with OEL6 OS # imageinfo
Big Data Appliance Image Info
IMAGE_VERSION : 4.0.0 LINUX_VERSION : Oracle Linux Server release 6.4 KERNEL_VERSION : 2.6.39-400.209.1.el6uek.x86_64 BDA_RPM_VERSION : bda-4.0.0-1.el6.x86_64 OFED_VERSION : OFED-IOV-1.5.5-2.0.0088 JDK_VERSION : jdk-1.7.0_65-fcs.x86_64 OR b) Sample output for BDA 2.* with OEL5 OS # imageinfo Big Data Appliance Image Info
IMAGE_VERSION : 2.*.1 KERNEL_VERSION : 2.6.32-200.21.1.el5uek BDA_RPM_VERSION : bda-2.2.1-1 OFA_RPM_VERSION : ofa-2.6.32-200.21.1.el5uek-1.5.5-4.0.55.4 JDK_VERSION : jdk-1.6.0_51-fcs 3) Check the version of bash rpm installed. dcli can used to check the bash rpm release on all nodes in the cluster # rpm -qa | grep -i bash
Note:- dcli can be used to check the bash rpm release on all nodes in the cluster dcli -C "rpm -qa | grep -i bash"
a) Sample output from OEL6 OS # dcli -C "rpm -qa | grep -i bash"
<private-ip of node>: bash-4.1.2-15.el6_4.x86_64
............... ... OR b) Sample output from OEL5 OS # dcli -C 'rpm -qa --qf "%{n}-%{v}-%{r}.%{arch}\n" | grep -i bash'
<private-ip of node>: bash-3.2-32.el5.x86_64
.......... ......... Note:- Package versions earlier then the package versions shown below are affected Instructions to Install Latest version of bash rpm on BDAManually upgrading the rpms on BDA prior to 4.0 is not supported since bda software checks will fail. Instructions for V2.*/3.* ReleasesFor BDA release prior to V4.0 i.e v3.* and v2.* releases, download and install the one-patch for Bug 19697630 to update the bash rpm Download Patch for V2.*/3.* ReleasesTo download OL5 patch, click on this link BDA-patch-ol5-3.1.0-19697630.zip To download OL6 patch, click on this link BDA-patch-ol6-3.1.0-19697630.zip Prerequisite Checks 1) Execute below command to check if bda.repo exists on all nodes in the BDA Cluster Instructions to Apply Patch on V2.*/3.* ReleasesBelow steps need to be executed as root on the first node of the primary rack. The patch upgrades the bash and bda software check rpms but also restarts CDH services thus downtime is required while applying the patch -rw-r--r-- 1 root root 3729058 Sep 30 10:44 /tmp/BDA-patch-ol5-3.1.0-19697630.zip
-rw-r--r-- 1 root root 1791129 Sep 30 10:44 /tmp/BDA-patch-ol6-3.1.0-19697630.zip
2) Unzip the patch in /tmp or directory of choice # unzip BDA-patch-ol5-3.1.0-19697630.zip
Archive: /tmp/BDA-patch-ol5-3.1.0-19697630.zipcreating: BDA-patch-ol5-3.1.0-19697630/ inflating: BDA-patch-ol5-3.1.0-19697630/BDA-patch-ol5-3.1.0-19697630.run inflating: BDA-patch-ol5-3.1.0-19697630/README.txt For OL6 Release # unzip BDA-patch-ol6-3.1.0-19697630.zip
Archive: /tmp/BDA-patch-ol6-3.1.0-19697630.zipcreating: BDA-patch-ol6-3.1.0-19697630/ inflating: BDA-patch-ol6-3.1.0-19697630/BDA-patch-ol6-3.1.0-19697630.run inflating: BDA-patch-ol6-3.1.0-19697630/README.txt 3) Patch contents # cd BDA-patch-ol5-3.1.0-19697630/
# ls -l total 3736 -rwxrwxr-x 1 root root 3821156 Sep 30 10:14 BDA-patch-ol5-3.1.0-19697630.run
# cd BDA-patch-ol6-3.1.0-19697630
# ls -l total 1828 -rwxrwxr-x 1 root root 1865316 Sep 30 10:11 BDA-patch-ol6-3.1.0-19697630.run -rw-rw-r-- 1 root root 249 Sep 30 10:11 README.txt 4) Execute BDA-patch-ol<ver#>-3.1.0-19697630.run command # cd BDA-patch-ol5-3.1.0-19697630/
Big Data Appliance one-off patch 19697630 for v3.1.0 Self-extraction# ./BDA-patch-ol5-3.1.0-19697630.run Removing existing temporary files Generating /tmp/BDA-patch-3.1.0-19697630.tar Verifying MD5 sum of /tmp/BDA-patch-3.1.0-19697630.tar /tmp/BDA-patch-3.1.0-19697630.tar MD5 checksum matches Extracting /tmp/BDA-patch-3.1.0-19697630.tar to /opt/oracle/BDAMammoth/patches/19697630 Removing temporary files Please "cd /opt/oracle/BDAMammoth" before running "./mammoth -p 19697630" For OL6 Release # cd BDA-patch-ol6-3.1.0-19697630
# ./BDA-patch-ol6-3.1.0-19697630.run Big Data Appliance one-off patch 19697630 for v3.1.0 Self-extraction Removing existing temporary files Generating /tmp/BDA-patch-3.1.0-19697630.tar Verifying MD5 sum of /tmp/BDA-patch-3.1.0-19697630.tar /tmp/BDA-patch-3.1.0-19697630.tar MD5 checksum matches Extracting /tmp/BDA-patch-3.1.0-19697630.tar to /opt/oracle/BDAMammoth/patches/19697630 Removing temporary files Please "cd /opt/oracle/BDAMammoth" before running "./mammoth -p 19697630"
# cd /opt/oracle/BDAMammoth
# ./mammoth -p 19697630 i) During patch install process all or few of these passwords are requested depending on the release a) Oracle OS user ii) At a high level patch performs below steps Executes bdacheckcluster
........... Step 1: Copying patch scripts into puppet directories ....... Step 5: Applying one off patch ....... Step 9: Copying patch information to all nodes ....... Performs cluster validation checks iii) If warning/error message is thrown about Hadoop services then this can be ignored. Enter yes to continue with patch install ERROR: Errors while validating Hadoop role names.
ERROR: Please resolve the errors or contact Oracle Support Do you want to continue anyway (not recommended) - yes/no ? yes iv) For some releases of BDA , hang may be noticed during cluster validation checks on Exachk call To resolve the issue please refer to Doc ID 1931560.1 On Oracle Big Data Appliance, Cluster Validation Check Hangs While Executing Exachk Command 6) Command to check if the patch is applied correctly # dcli -C ls -ld /opt/oracle/bda/patches/19697630
Sample output <BDAFirstNodeIP>: drwxrwxr-x 4 root root 4096 Sep 30 13:21 /opt/oracle/bda/patches/19697630
......... <BDALastNodeIP>: drwxrwxr-x 4 root root 4096 Sep 30 13:21 /opt/oracle/bda/patches/19697630 Also follow steps in 'Post RPM Upgrade Steps' section to check if bash rpm is updated correctly Instructions for V4.* ReleaseFor v4.0 release of BDA follow below instructions to manually upgrade the bash rpm . Note:- Prior to upgrading the rpm ensure all the OL /software packages are valid by executing bdacheckcluster command Download Latest patched version of bash rpm for V4.* ReleaseLatest bash-<version>.rpm can be downloaded from For OEL5, the latest bash rpm that contains the fix for CVE-2014-7169 vulnerability is bash-3.2-33.el5_11.4.x86_64.rpm
Upgrade bash rpm on BDA Cluster for V4.* ReleaseThese steps are the same for a HDFS or NoSQL Cluster installed on BDA. Note:- If more than one cluster is installed on a rack, then please execute below steps on all clusters in the rack . 1) Log into Node01 of the BDA cluster as root user 2) Depending on the OS on BDA, copy the needed OEL5 or OEL6 rpm's to node01 into /tmp a) Sample output from BDA Cluster with OEL6 OS # ls -l /tmp/bash*
-rw-r--r-- 1 root root 926336 Sep 29 07:26 /tmp/bash-4.1.2-15.el6_5.2.x86_64.rpm
OR b) Sample output from BDA Cluster with OEL5 OS # ls -l /tmp/bash*
-rw-r--r-- 1 root root 1901627 Sep 29 07:26 /tmp/bash-3.2-33.el5_11.4.x86_64.rpm
3) Use dcli to copy the bash rpm to all nodes in the cluster a) Commands for OEL6 OS dcli -C mkdir /root/rpms
dcli -C ls -ld /root/rpms dcli -C -f /tmp/bash-4.1.2-15.el6_5.2.x86_64.rpm -d /root/rpms/ dcli -C ls -l /root/rpms Sample output from BDA Cluster with OEL6 OS # dcli -C mkdir /root/rpms
# dcli -C ls -ld /root/rpms <private-ip of node>: drwxr-xr-x 2 root root 4096 Sep 29 07:29 /root/rpms ..... # dcli -C -f /tmp/bash-4.1.2-15.el6_5.2.x86_64.rpm -d /root/rpms/ # dcli -C ls -l /root/rpms <private-ip of node>: total 908 <private-ip of node>: -rw-r--r-- 1 root root 926336 Sep 29 07:29 bash-4.1.2-15.el6_5.2.x86_64.rpm ............................... OR b) Commands for OEL5 OS dcli -C mkdir /root/rpms
dcli -C ls -ld /root/rpms dcli -C -f /tmp/bash-3.2-33.el5_11.4.x86_64.rpm -d /root/rpms/ dcli -C ls -l /root/rpms Sample output from BDA Cluster with OEL5 OS # dcli -C mkdir /root/rpms
# dcli -C ls -ld /root/rpms <private-ip of node>: drwxr-xr-x 2 root root 4096 Sep 29 07:29 /root/rpms ..... # dcli -C -f /tmp/bash-3.2-33.el5_11.4.x86_64.rpm -d /root/rpms/ # dcli -C ls -l /root/rpms <private-ip of node>: total 2992 <private-ip of node>: -rw-r--r-- 1 root root 1901627 Sep 29 07:26 bash-3.2-33.el5_11.4.x86_64.rpm ............................... 4) Upgrade the bash rpm on all the nodes in the cluster a) Commands for OEL6 OS dcli -C rpm -Uvh /root/rpms/bash-4.1.2-15.el6_5.2.x86_64.rpm
Sample output <private-ip of node>: Preparing... ##################################################
<private-ip of node>: bash ################################################## ........... ......... OR b) Commands for OEL5 OS dcli -C rpm -Uvh /root/rpms/bash-3.2-33.el5_11.4.x86_64.rpm
Sample output <private-ip of node>: Preparing... ##################################################
<private-ip of node>: bash ################################################## ........... ......... Post RPM Upgrade Steps1) Check if the bash rpm is updated correctly a) Output for OEL6 OS # dcli -C "rpm -qa | grep -i bash"
<private-ip of node>: bash-4.1.2-15.el6_5.2.x86_64
... OR b) Output for OEL5 OS # dcli -C 'rpm -qa --qf "%{n}-%{v}-%{r}.%{arch}\n" | grep bash' <private-ip of node>: bash-3.2-33.el5_11.4.x86_64
... 2) Execute bdacheckcluster command to ensure all the OL / software packages are valid. On BDA CDH cluster, bdacheckcluster command prompts for Cloudera Manager(CM) password # bdacheckcluster
INFO: Logging results to /tmp/bdacheckcluster_<id>/ Enter CM admin password to enable check for CM services and hosts Press ENTER twice to skip CM services and hosts checks Enter password: Enter password again: ... Attachments This solution has no attachment |
||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||