【PSU】记Oracle一次高危漏洞补丁修复过程
记Oracle一次高危漏洞补丁修复过程
一、概述
本次技术讨论暂不评价微博好坏,不过本人得知这次BUG确实来源于微博,截图如下:
由上图可知,在版本11.2.0.4中用户无update权限,可以通过with as绕过执行DML操作。经过几个版本测试,发现11.2.0.1/12.1.0也有这样的问题,10g无此问题。
二、 解决过程
版本说明:rhel6.3_x64 Oracle11.2.0.4_x64
当以为这是一个Oracle新版本中的新BUG时,恩墨发表了一篇《【云和恩墨】Oracle数据库高危漏洞警告》,借此参考,我从官网下载PSU补丁,安装并测试,安装完成后此高危漏洞得到修复。
首先,再次测试一下,该版本下执行update语句。
[oracle@ora11 soft]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Thu May 14 08:57:43 2015
Copyright (c) 1982, 2013, Oracle. All rights reserved. Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> create user test identified by test; User created. SQL> grant create session,connect to test; Grant succeeded. SQL> grant select on scott.emp to test; Grant succeeded. SQL> conn test/test Connected.
SQL> select * from scott.emp; ------ ---------- --------- ------- ------------------- ---------- ----- ------- 7369 SMITH CLERK 7902 1980-12-17 00:00:00 800 20 7499 ALLEN SALESMAN 7698 1981-02-20 00:00:00 1600 300 30 7521 WARD SALESMAN 7698 1981-02-22 00:00:00 1250 500 30 7566 JONES MANAGER 7839 1981-04-02 00:00:00 2975 20 7654 MARTIN SALESMAN 7698 1981-09-28 00:00:00 1250 1400 30 7698 BLAKE MANAGER 7839 1981-05-01 00:00:00 2850 30 7782 CLARK MANAGER 7839 1981-06-09 00:00:00 2450 10 7788 SCOTT ANALYST 7566 1987-04-19 00:00:00 3000 20 7839 KING PRESIDENT 1981-11-17 00:00:00 5000 10 7844 TURNER SALESMAN 7698 1981-09-08 00:00:00 1500 0 30 7876 ADAMS CLERK 7788 1987-05-23 00:00:00 1100 20 7900 JAMES CLERK 7698 1981-12-03 00:00:00 950 30 7902 FORD ANALYST 7566 1981-12-03 00:00:00 3000 20
7934
MILLER CLERK 7782 1982-01-23 00:00:00 1300 10 update scott.emp set sal=1699 where ename=‘ALLEN‘ * ERROR at line 1: ORA-01031: insufficient privileges SQL> update (with temp as (select * from scott.emp) select * from temp) set sal=1699 where ename=‘ALLEN‘;
1 row updated. SQL> commit; Commit complete. |
确认该漏洞存在,下面我们开始为该版本数据库打最新PSU补丁。
根据这篇文章《Oracle Critical Patch Update Advisory - July 2014》,找到受影响的数据库及版本,顺便简单介绍一下怎么通过Oracle官网查找补丁。
点击Database,打开文档 ID
1666884.1,选择关于该版本相关补丁,当然我们可以选择最新补丁,在这里我根据其Table,选择了补丁Patch 18522509
由于该补丁非最新补丁,在你点击该补丁号打开后,Oracle会提醒你,此补丁程序已被取代。如下图所示,我们可以选择最新补丁,20299013点击下载。
|
下载完成后,讲补丁程序上传至需打补丁的数据库服务器,解压,阅读相关文件README.html。
其中有一先决条件
2.1 OPatch UtilityYou must use the OPatch utility version 11.2.0.3.6 or later to apply this patch. Oracle recommends that you use the latest released OPatch version for 11.2, which is available for download from My Oracle Support patch 6880880 by selecting the 11.2.0.0.0 release. For information about OPatch documentation, including any known issues, see My Oracle Support Document 293369.1 OPatch documentation list.
|
查看该数据库OPatch版本
[oracle@ora11 ocm]$ $ORACLE_HOME/OPatch/opatch lsinventory -detail -oh $ORACLE_HOME Oracle Interim Patch Installer version 11.2.0.3.4 Copyright (c) 2012, Oracle Corporation. All rights reserved.
Oracle Home : /oracle/app/oracle/product/11.2.0 Central Inventory : /oracle/app/oraInventory from : /oracle/app/oracle/product/11.2.0/oraInst.loc OPatch version : 11.2.0.3.4 OUI version : 11.2.0.4.0 |
此PUS补丁要求OPatch版本必须11.2.0.3.6以上,不信邪,那我们执行以下试试。
[oracle@ora11 20299013]$ opatch apply Oracle Interim Patch Installer version 11.2.0.3.4 Copyright (c) 2012, Oracle Corporation. All rights reserved.
Oracle Home : /oracle/app/oracle/product/11.2.0 Central Inventory : /oracle/app/oraInventory from : /oracle/app/oracle/product/11.2.0/oraInst.loc OPatch version : 11.2.0.3.4 OUI version : 11.2.0.4.0 Log file location : /oracle/app/oracle/product/11.2.0/cfgtoollogs/opatch/opatch2015-05-14_10-20-22AM_1.log
Verifying environment and performing prerequisite checks... Prerequisite check "CheckMinimumOPatchVersion" failed. The details are:
The OPatch being used has version 11.2.0.3.4 while the following patch(es) require higher versions: Patch 17478514 requires OPatch version 11.2.0.3.5. Patch 18031668 requires OPatch version 11.2.0.3.5. Patch 18522509 requires OPatch version 11.2.0.3.5. Patch 19121551 requires OPatch version 11.2.0.3.5. Patch 19769489 requires OPatch version 11.2.0.3.5. Patch 20299013 requires OPatch version 11.2.0.3.5. Please download latest OPatch from My Oracle Support.
UtilSession failed: Prerequisite check "CheckMinimumOPatchVersion" failed. Log file location: /oracle/app/oracle/product/11.2.0/cfgtoollogs/opatch/opatch2015-05-14_10-20-22AM_1.log
OPatch failed with error code 73 [oracle@ora11 20299013]$ |
好了,我们根据补丁包中README.html,链接点击下载OPatch补丁(注意,选择好数据库版本、操作系统版本)patch 6880880。
上传给OPatch补丁,我们准备开始执行补丁安装。
备份原OPatch目录,解压新的OPatch目录,并拷贝。
[oracle@ora11 soft]$ unzip
p6880880_112000_Linux-x86-64.zip Oracle Interim Patch Installer version 11.2.0.3.10 Copyright (c) 2015, Oracle Corporation. All rights reserved. Oracle Home : /oracle/app/oracle/product/11.2.0 Central Inventory : /oracle/app/oraInventory from : /oracle/app/oracle/product/11.2.0/oraInst.loc OPatch version : 11.2.0.3.10
OUI version
: 11.2.0.4.0 |
下面执行PUS补丁程序
关于监听、数据库
shutdown immediate| lsnrctl stop |
解压PSU,进入目录,执行以下命令
unzip p20299013_112040_Linux-x86-64.zip cd 20299013 opatch apply |
执行完成后,启动数据库,执行SQL脚本,到此,PSU补丁打完。
cd $ORACLE_HOME/rdbms/admin sqlplus /nolog SQL> CONNECT / AS SYSDBA SQL> STARTUP SQL> @catbundle.sql psu apply |
查看:
[oracle@ora11 admin]$ opatch lsinventory Oracle Interim Patch Installer version 11.2.0.3.10 Copyright (c) 2015, Oracle Corporation. All rights reserved. Oracle Home : /oracle/app/oracle/product/11.2.0 Central Inventory : /oracle/app/oraInventory from : /oracle/app/oracle/product/11.2.0/oraInst.loc OPatch version : 11.2.0.3.10 OUI version : 11.2.0.4.0 Log file location : /oracle/app/oracle/product/11.2.0/cfgtoollogs/opatch/opatch2015-05-14_10-50-38AM_1.log
Lsinventory Output file location : /oracle/app/oracle/product/11.2.0/cfgtoollogs/opatch/lsinv/lsinventory2015-05-14_10-50-38AM.txt
-------------------------------------------------------------------------------- Local Machine Information:: Hostname: ora11 ARU platform id: 226 ARU platform description:: Linux x86-64
Installed Top-level Products (1):
Oracle Database 11g 11.2.0.4.0 There are 1 products installed in this Oracle Home.
Interim patches (1) :
Patch 20299013 : applied on Thu May 14 10:47:37 CST 2015 Unique Patch ID: 18573940 Patch description: "Database Patch Set Update : 11.2.0.4.6 (20299013)"
Created on 4 Mar 2015, 02:27:44 hrs
PST8PDT |
重新验证Oracle数据库高危漏洞,Oracle11.2.0.4版本已修复。
SQL> conn test/test Connected. SQL> update (with temp as (select * from scott.emp) select * from temp) set sal=1600 where ename=‘ALLEN‘; update (with temp as (select * from scott.emp) select * from temp) set sal=1600 where ename=‘ALLEN‘ * ERROR at line 1: ORA-01031: insufficient privileges |
三、总结
当看到这个漏洞时,知道它的危险性,也觉得奇怪,谁没事会尝试使用这样的命令去更新,很佩服发现该漏洞的人员,以及在漏洞出现后恩墨及时更新说明(当然,也许只是我孤陋寡闻)。在本人目光有限的情况下,知道有一些公司以及数据库管理人员对Oracle发布的一些补丁并未及时更新,当然也有各种缘由。数据库存储数据,它的重要性不言而喻,在我们认真学习技术的同时也应该多关注Oracle方面发布的相关公告、补丁程序等,善于利用Oracle网站、MOS,将会助你更好的学习、工作。还锻炼英语,不错的选择。
四、参考文档:
http://mp.weixin.qq.com/s?__biz=MjM5MzExMTU2OQ==&mid=205651373&idx=1&sn=4fcd886575af062c3c5814e73541cb26&scene=5#rd
【云和恩墨】Oracle数据库高危漏洞警告!
网名:文盲筱烨
IT技术、跑步爱好者
Oracle10g OCM 、SDOUG成员(一个朝气年轻的组织)
邮箱:[email protected]
博客:http://blog.itpub.net/29487349/
郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。