How To Address Security Scan Findings on an Oracle Database Appliance (ODA)

Asset ID:	1-71-2195990.1
Update Date:	2017-12-12
Keywords:

Solution Type Technical Instruction Sure

Solution 2195990.1 : How To Address Security Scan Findings on an Oracle Database Appliance (ODA)

Applies to:

Oracle Database Appliance X4-2 - Version All Versions to All Versions [Release All Releases]
Oracle Database Appliance X3-2 - Version All Versions to All Versions [Release All Releases]
Oracle Database Appliance X6-2 HA Hardware - Version All Versions to All Versions [Release All Releases]
Oracle Database Appliance X5-2 - Version All Versions to All Versions [Release All Releases]
Linux x86-64

Goal

The goal of this document is to assist in determining if one or more CVEs identified by a security vulnerability scan apply to an Oracle Database Appliance (ODA).

This document is for ODA engineered systems only. For Exadata and SuperCluster engineered systems, refer to Doc ID 2182530.1.

Solution

Background:

CVE stands for Common Vulnerabilities and Exposures. The CVE system provides a reference-method for publicly known information-security vulnerabilities and exposures. The National Cybersecurity federally funded research and development center, owned by The MITRE Corporation, maintains the system, with funding from the National Cyber Security Division of the United States Department of Homeland Security.

When a CVE is published, all of the software affected by it will be patched to fix the vulnerability. This will result in one or more new updated packages for the affected software. In the case of Oracle Linux, the OS used by ODAs, patches are released via an Enterprise Linux Security Advisory (aka ELSA). The ELSAs provide details on which Linux packages need to be updated to fix the vulnerability covered.

ORACLE SUPPORT ENGINEERS
This document is intended to be followed by the customer to locate and apply fixes for known CVEs. If a customer has not followed this document, have them do so or assist them with the process listed herein.
DO NOT TRANSFER the SR to the Security Certified Group (SCG) if a fix is already available for the CVE. Only transfer the SR to the SCG if it meets one or more of the following criteria:

- the steps in this document have been followed and no fix has been found
- contains a request by the customer for a vulnerability fix that is outside of the normal bug/release process
- contains questions about when a vulnerability fix will be released
- the customer believes they may have found a NEW security vulnerability

If a report contains a vulnerability with no associated CVE or ELSA, work with your security team to research the vulnerability to find any CVEs associated with it.

Vulnerability Resolution

There are two options when dealing with vulnerabilities on ODA.

Option 1 (Recommended):
Security vulnerabilities are addressed with each release of the ODA image. Images are released on a quarterly basis. If your ODA is not on the latest image, upgrade to it to ensure the latest package versions are installed. See Doc ID 888888.1 for details.

Option 2:
If immediate security compliance is required, vulnerabilities can be addressed by accomplishing the following steps:

1. From the vulnerability report, determine the CVE or ELSA number of the vulnerability.

If a CVE is given for the vulnerability, go to step 2.

If a ELSA is given for the vulnerability, go to step 6.

If no CVE or ELSA is given, go to step 10.

2. Open Doc ID 2115814.1 and search for the CVE.

If the CVE is found in the document, apply the fix listed then go to step 11.

If the CVE is not found in the document, go to the next step.

3. Go to the following link and determine the ELSA that corresponds to the CVE

http://linux.oracle.com/pls/apex/f?p=130:21

If the CVE has an associated ELSA, the CVE will appear in the search results with details of the problem. Go on to the next step.

If the CVE does not show any associated ELSAs, make a note of the CVE and go to step 10.

4. Click on the CVE number. Details about the CVE will appear.

5. In the CVE details, locate the column labeled “Platform”. This lists the Oracle Linux version that the CVE applies to.

If your version of Linux is listed in the “Platform” column, then this vulnerability applies and an ELSA will be listed in the "Errata" column. Click on the ELSA number in the "Errata" column then go to step 7.

If your version of Linux is not listed in the “Platform” column, there will be no ELSA. This is because the issue covered by the CVE does not affect your version of Linux. In this case, go to step 11.

In some cases a vulnerability may affect the customer's version of Linux but a patch was not produced. This can be for a number of reasons. One of the major reasons is that Oracle Linux is based on Red Hat Enterprise Linux (RHEL) and therefore many of the patches we release are based on patches produced by Red Hat. In some cases, Red Hat will not produce a patch because the version of RHEL has reached End-Of-Life and is no longer supported. In other cases, they will not release a patch because the particular build of that package was not affected.

If a patch is not available and the customer would like further follow-up, transfer the SR to the SCG.

6. Search for the ELSA at https://linux.oracle.com/pls/apex/f?p=130:21 and click on the link in the search results to open it.

7. Determine what Linux packages are affected by the vulnerability. All packages that require updating will be listed in the "Filename" column.

8. Query the change log for the affected packages to see if the CVE has already been addressed in it. For example, the following command will query the Firefox package to check for the fix for CVE-2017-5428.

rpm -q --changelog firefox | grep -i "CVE-2017-5428"

If a result is not returned, then the CVE has not been addressed. Go to the next step.

If a result is returned, then the CVE is addressed and is not applicable. Skip to step 11.

Why would your security scan show the system is vulnerable to a CVE but the package change log shows that the CVE is fixed? A majority of the Linux packages used by Engineered Systems are unchanged from the standard Oracle Linux distribution. However, sometimes specific critical fixes will be included in current packages rather than including an entirely updated/new package. Consider the following example.

Let's say a security scan was done on an ODA it found the ODA vulnerable to CVE-2017-1234. This CVE affects Linux kernel versions 4.1.12 and below. The ELSA for this CVE indicates that the fix was first included in kernel-uek-4.1.12-94.4.1. But the kernel version installed on the ODA is kernel-uek-4.1.12-61.1.33 (a lower version than the one the fix is included in). It is natural to assume that the ODA kernel does not have the fix. However, a query of the change log shows this CVE has been fixed. Why? Because that particular fix was applied to the lower version kernel without using the all new kernel. The security scanner vendor does not know about this kernel modification that is specific to Engineered Systems. It just knows about the standard Oracle Linux kernel version.

9. Note that not all packages will need to be updated. For example, the development (-devel) or source (-src) packages are not installed on ODA systems by default.

If the packages affected are kernel, glibc, ibutils or Java packages, you must wait until an ODA image with the fixed version specified in the Errata (or higher) is available.

DO NOT UPGRADE THE KERNEL, GLIBC, IBUTILS OR JAVA PACKAGES ON AN ODA SYSTEM USING YUM OR RPM UNLESS PROVIDED INSTRUCTIONS TO DO SO BY ORACLE SUPPORT. These packages are specific to ODA and must be thoroughly tested prior to being approved for use on these systems. Upgrading them independently of an ODA image has the potential to cause serious harm to the system.

For all other packages, update just the package individually using one of the following two methods:

- If your ODA is able to access the internet, you may use the YUM utility as root to update a single package. For example: yum update <packageName> .

- If your ODA is not able to access the internet, you must download the required updated package from the Oracle Public Yum Repository and install it as root using the rpm command. For example: rpm -Uvh <packageName> . Refer to Doc ID 2312778.1 for more information.

Once you have determined what action to take regarding package updates based on the above information, go to step 11.

10. If you are at this step then no fix for the vulnerability could not be found. Make a note of the vulnerability details then go to the next step.

11. Repeat steps 1 through 6 above for all vulnerabilities found in the vulnerability report. Once all vulnerabilities in the report have been addressed, go to the next step.

12. If all vulnerabilities are addressed by the steps above, you are finished.

If you have a list of CVEs/ELSAs that were not addressed in the steps above OR there are vulnerabilities for which your security team cannot determine the CVE number, open an Service Request with Oracle Support and include the list of CVEs/vulnerabilities that were not addressed. If possible, attach the full vulnerability report to the Service Request.

Oracle Support Engineers
Perform the above steps to confirm the customer did not miss anything. If no fix is found, transfer the SR to the SCG using option 5 and note that this doc was followed.

References

<NOTE:888888.1> - Oracle Database Appliance - 12.2.1.1 and 2.X Supported ODA Versions & Known Issues
SR 3-13140726351
<NOTE:2115814.1> - ODA Responses to Oracle Database Appliance Security Scan Findings

Attachments

This solution has no attachment