Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-79-1940509.1
Update Date:2017-12-06
Keywords:
Solution Type  Predictive Self-Healing Sure

Solution  1940509.1 :   Update SSL RPM and Disable SSLv3 on Oracle Big Data Appliance - SSL Poodle Vulnerability (CVE-2014-3566)  

Related Items 
    

  • Big Data Appliance Integrated Software
    •  
  • Big Data Appliance Hardware
    •  
Related Categories 
    

  • PLA-Support>Eng Systems>BDA>Big Data Appliance>DB: BDA_EST
    •  






In this Document


Purpose


Scope


Details


 Affected BDA Releases


 Instructions to check BDA Release and OS Version


 Instruction to Update OpenSSL on BDA Nodes


 Download Latest Patched Version of OpenSSL


 Upgrade OpenSSL on BDA Cluster


 Instruction to Disable SSLv3 on Hardware Components


 ILOM on BDA Nodes


 NM2-36p and NM2-GW InfiniBand Switches


 Post Installation Steps


 Verify Openssl  Version


 Hdfs Cluster Restart




Applies to:  

Big Data Appliance Integrated Software - Version 2.1.2 and later
Big Data Appliance Hardware - Version Not Applicable and later
Linux x86-64



Purpose


This document provides required steps to resolve issues related to SSL Poodle Vulnerability CVE-2014-3566 on Oracle Big Data Appliance(BDA) . This is important due to SSL Poodle Vulnerability (CVE-2014-3566) as described in Note 1935500.1



Scope


This document applies to Oracle Big Data Appliance(BDA) 


Details


By default on all BDA components, SSLv3 is not used. However, it is configured to be available if requested by a client. This means that malicious users may be able to leverage the SSLv3 weaknesses to compromise the system. The best way to avoid the vulnerability is to update OpenSSL rpm on BDA nodes and disable SSLv3 capabilities on Hardware components as described in the procedures here.


The Oracle Linux security advisories describing these OpenSSL updates are available at:



Affected BDA Releases


BDA V2.* and higher until V4.0 releases are affected by SSL Poodle Vulnerability (CVE-2014-3566) .


Openssl has been updated on servers in BDA v4.1.0 and up so not effected . 


But hardware component updates are applicable to all releases of BDA.


Instructions to check BDA Release and OS Version


These steps are the same for HDFS or NoSQL Cluster installed on BDA


1) Log into Node01 of the BDA cluster as root user


2) Check BDA image and OS details by executing imageinfo command


a) Sample output for BDA 2.* with OEL6 OS


# imageinfo

Big Data Appliance Image Info

IMAGE_VERSION             : 2.*.0
IMAGE_CREATION_DATE       : Thu Mar 20 21:14:56 UTC 2014
IMAGE_LABEL               : BDA_2.*.0_LINUX.X64_RELEASE
LINUX_VERSION             : Oracle Linux Server release 6.4
KERNEL_VERSION            : 2.6.39-400.209.1.el6uek.x86_64
BDA_RPM_VERSION           : bda-2.*.0-1.el6.x86_64
OFED_VERSION              : OFED-IOV-1.5.5-2.0.0088
JDK_VERSION               : jdk-1.7.0_25-fcs.x86_64

 


OR


b) Sample output for BDA 2.* with OEL5 OS




# imageinfo


Big Data Appliance Image Info

IMAGE_VERSION             : 2.*.0
IMAGE_CREATION_DATE       : Mon Nov 18 14:01:20 PST 2013
IMAGE_LABEL               : BDA_2.*.1_LINUX.X64_RELEASE
IMAGE_VERSION             : 2.*.1
LINUX_VERSION             : Oracle Linux Server release 5.8
KERNEL_VERSION            : 2.6.32-200.21.1.el5uek
BDA_RPM_VERSION           : bda-2.*.1-1
OFED_VERSION              : OFED-IOV-1.5.5-1.0.0120
JDK_VERSION               : jdk-1.7.0_25-fcs




3) Check the version of openssl rpm installed. dcli can used to check the openssl rpm release on all nodes in the cluster


For OL6


dcli -C "rpm -q openssl"


For OL5   


# dcli -C 'rpm -qa --qf "%{n}-%{v}-%{r}.%{arch}\n" | grep "^openssl"' 


Note:- Package versions earlier than the package versions shown below in 'Download Latest Patched Version of OpenSSL section' are affected.


Instruction to Update OpenSSL on BDA Nodes


Download Latest Patched Version of OpenSSL


For OL6


openssl-1.0.1e-30.el6_6.2.x86_64.rpm 


For OL5


openssl-0.9.8e-31.el5_11.i686.rpm


openssl-0.9.8e-31.el5_11.x86_64.rpm


The rpms can be downloaded from
Free (Public Yum): http://public-yum.oracle.com/
OR
Paid (ULN): https://linux.oracle.com/


Upgrade OpenSSL on BDA Cluster


These steps are the same for a HDFS or NoSQL Cluster installed on BDA.


Note:- If more than one cluster is installed on a rack, then please execute below steps on all clusters in the rack .


1) Log into Node01 of the BDA cluster as root user


2) Download/Copy the rpms based on OS release to node01 into /tmp


3) Use dcli to copy the ssl rpm to all nodes in the cluster


For OL6
 


dcli -C mkdir /root/rpms
dcli -C -f /tmp/openssl-1.0.1e-30.el6_6.2.x86_64.rpm -d /root/rpms/openssl-1.0.1e-30.el6_6.2.x86_64.rpm


For OL5


dcli -C mkdir /root/rpms
dcli -C -f /tmp/openssl-0.9.8e-31.el5_11.i686.rpm -d /root/rpms/openssl-0.9.8e-31.el5_11.i686.rpm
dcli -C -f /tmp/openssl-0.9.8e-31.el5_11.x86_64.rpm -d /root/rpms/openssl-0.9.8e-31.el5_11.x86_64.rpm


4) Upgrade the ssl rpm on all the nodes in the cluster


For OL6
 


dcli -C rpm -Uvh /root/rpms/openssl-1.0.1e-30.el6_6.2.x86_64.rpm


For OL5 


dcli -C rpm -Uvh /root/rpms/openssl-0.9.8e-31.el5_11.i686.rpm
dcli -C rpm -Uvh /root/rpms/openssl-0.9.8e-31.el5_11.x86_64.rpm


Sample output


<private-ip of node>: Preparing...                ##################################################
<private-ip of node>: openssl                     ##################################################
.........


Instruction to Disable SSLv3 on Hardware Components


ILOM on BDA Nodes


BDA nodes ILOM have SSLv3 enabled by default. To disable SSLv3 via the command line interface, connect to the ILOM via SSH and run:


-> set /SP/services/https sslv3=disabled


To disable SSLv3 via the web browser interface, connect to the ILOM via a web browser, login, and navigate to Configuration > Web Server (on earlier versions) or ILOM Administration > Management Access > Web Server (on later versions). Then uncheck SSLv3 checkbox and click Save.


NM2-36p and NM2-GW InfiniBand Switches


NM2-36p and NM2-GW InfiniBand Switch ILOMs have SSLv3 enabled by default. There is no way to disable SSLv3, so the only available option currently is to disable https. Since http only redirects to https, we also recommend disabling http access.


To disable http and https access via the command line interface, follow the steps below. Perform the steps on all 3 NM2 Infiniband switches in every BDA rack


    

  1. Connect to the switch's ILOM by logging in to the switch using SSH as the ilom-admin user
      

    1. ssh ilom-admin@<IB_switch_name_or_IP>
      2. 

    2. 

  2. Once connected, set the following properties:
      

    1. -> set /SP/services/http servicestate=disabled secureredirect=disabled
      2. 

    2. -> set /SP/services/https servicestate=disabled
      3. 

    3. 



Post Installation Steps


Verify Openssl  Version


Check if the openssl rpm is updated correctly


For OL6


dcli -C "rpm -q openssl"


For OL5   


# dcli -C 'rpm -qa --qf "%{n}-%{v}-%{r}.%{arch}\n" | grep "^openssl"'


Hdfs Cluster Restart


If network encryption is enabled on the HDFS cluster or for any services on the HDFS cluster then the cluster (or those particular services) should be restarted.


To restart the HDFS cluster or a particular service/s follow below steps


1) Log into Cloudera Manager(CM) UI as admin user 


CM resides on node03 of the primary rack and can be accessed using http://<node3-name>:7180


2) Start the BDA cluster or just the services needed


a) To restart 'All Services' or the complete cluster


Services > All Services >  Actions > ReStart


b) To restart a specific service


Services > All Services > Choose the Service to restart



Attachments

This solution has no attachment


















       

Copyright © 2018 Oracle, Inc.  All rights reserved.

 Feedback