ECS:ECS 對 Apache Log4j 遠端代碼執行漏洞的解決方案
Summary: Apache Log4j 安全漏洞
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
CVE 識別符 CVE-2021-44228
CVE 識別符 CVE_2021-45046
Apache 發行:Apache Log4j 遠端代碼執行
Cause
Apache Log4j 安全漏洞
Resolution
應由誰執行此程序?
Dell 要求客戶執行升級 xDoctor 和安裝修補程式的程序。這是最快速、最安全的方法,因為它可避免長時間暴露於此 Apache 漏洞中。所有步驟詳述在本 KB 中。此外,也有隨附位於下方連結的此 KB 影片指南。
影片:Apache-Log4j
程序的影響:
服務重新開機時,預期可能出現 I/O 逾時。存取叢集的應用程式必須能夠處理 I/O 逾時。執行此程序時建議提供一個維護時段。
活動所需時間 (大約):
在服務重新開機之間,每個節點預設會設定約 7 分鐘的延遲時間。虛擬資料中心 (VDC) 中的節點數乘以 7 分鐘 + 60 分鐘進行準備、DT 穩定,以及需要進行後續檢查。
例如:
48 節點 VDC 系統可能需要大約 6.5 小時:
7.5 分鐘 x 48 (VDC 節點數目) + 30 分鐘 (準備) = 6.5 小時或 390 分鐘
一個 8 節點 VDC 系統大約需要 1.5 小時:
7.5 分鐘 x 8 (VDC 節點數目) + 30 分鐘 (準備) = 1.5 小時或 90 分鐘
常見問題 (FAQ):
問:修補程式是否為 xDoctor 版本的一部分?
一個:修補程式安裝指令檔是 xDoctor 版本 4.8-79.1 及更高版本的一部分。下載 xDoctor 和執行修補程式安裝的指示位於解決方案步驟中。
問:是否可以同時更新多個 VDC?
一個:不。 修補程式 1 一次 VDC。
問:我可以在執行程式碼版本 3.2.x 或更早版本的 ECS 上套用此修補程式嗎?
答:否,此修補程式僅適用於 ECS 版本 3.3.x - 3.6.x。開啟服務要求以排定舊版升級。
問:如果我在執行此程序後升級 ECS,要在升級後重新執行此程序嗎?
一個:否, 如果升級到 DSA-2021-273 中指定的程式碼版本,當中有永久修正程式。是, 如果升級到此 DSA 中未 指定的代碼版本。
問:修補程式是否需要在之前在節點更換、重建映像或擴充後安裝過的系統上重新應用程式?
一個:否,如果 VDC 是在 DSA-2021-273 中指定的程式碼版本。是, 如果針對執行此相同 DSA 中未 指定的程式碼版本的 VDC 執行上述任何動作。如果這些情況需要修補程式,Dell 工程師會聯絡您,通知您需要更新。
問:您應以哪個使用者身分登入,才能執行此 KB 中的所有命令?
一個:Admin
問:svc_patch是否必須在所有機架上執行,或是使用專門的機器檔案執行,其中 VDC 中有多個機架?
一個:否,它會自動偵測是否存在多個機架,並更新該 VDC 上所有機架上的所有節點。
問:我注意到目標 xDoctor 版本現在是 4.8-79.1,而不是 4.8-79.0。何?
答: xDoctor 版本頻繁出現,因此始終建議升級到發佈的最高版本。但是,如果您先前使用 4.8-79.0 執行 Apache 修正,則系統 會受到完整保護 ,不受漏洞影響,且不必重新執行。
解決方法摘要:
- 將您的 ECS xDoctor 軟體升級至 4.8.-79.1 版或更新版本
- 執行前置檢查。
- 使用 xDoctor 隨附的 svc_patch 工具套用系統修補程式。
- 確認已套用修正程式。
- 故障診斷。
解決方案步驟:
1.將您的 ECS xDoctor 軟體升級至最新可用版本。
-
檢查系統上執行的 xDoctor 版本。如果版本為 4.8-79.1 或更高版本,請移至步驟 2“運行前置檢查”。否則,請繼續執行下列步驟。
命令:
# sudo xdoctor --version
範例:
admin@node1:~> sudo xdoctor --version 4.8-79.1
- 登入 支援網站,直接連線至下載 連結,使用關鍵字搜尋來搜尋 xDoctor,然後按一下 xDoctor RPM 連結以下載。若要檢視版本資訊,請依 照版本資訊指示,從提供下載的側邊欄選取手冊和文件。
- 下載 RPM 後,請使用任何遠端 SCP 程式將檔案上傳至第一個 ECS 節點上的 /home/admin 目錄。
- 上傳完成後,請使用管理員將 SSH 連接至 ECS 系統的第一個節點。
-
使用新發佈的版本升級所有節點上的 xDoctor。
命令:
# sudo xdoctor --upgrade --local=/home/admin/xDoctor4ECS-4.8-79.1.noarch.rpm
範例:
admin@node1:~> sudo xdoctor --upgrade --local=/home/admin/xDoctor4ECS-4.8-79.1.noarch.rpm 2021-12-20 12:06:11,358: xDoctor_4.8-78.2 - INFO : xDoctor Upgrader Instance (2:FTP_SFTP) 2021-12-20 12:06:11,358: xDoctor_4.8-78.2 - INFO : Local Upgrade (/home/admin/xDoctor4ECS-4.8-79.1.noarch.rpm) 2021-12-20 12:06:11,392: xDoctor_4.8-78.2 - INFO : Current Installed xDoctor version is 4.8-78.2 2021-12-20 12:06:11,429: xDoctor_4.8-78.2 - INFO : Requested package version is 4.8-79.1 2021-12-20 12:06:11,430: xDoctor_4.8-78.2 - INFO : Updating xDoctor RPM Package (RPM) 2021-12-20 12:06:11,482: xDoctor_4.8-78.2 - INFO : - Distribute package 2021-12-20 12:06:12,099: xDoctor_4.8-78.2 - INFO : - Install new rpm package 2021-12-20 12:06:37,829: xDoctor_4.8-78.2 - INFO : xDoctor successfully updated to version 4.8-79.1
-
如果環境是多機架 VDC,則必須在每個機架的第一個節點上安裝新的 xDoctor 套件。若要識別這些機架主體,請執行下列命令。在此例項中,有四個機架和四個機架主體突顯。
-
命令:
# svc_exec -m "ip address show private.4 |grep -w inet"
範例:
admin@ecsnode1~> svc_exec -m "ip address show private.4 |grep -w inet" svc_exec v1.0.2 (svc_tools v2.1.0) Started 2021-12-20 14:03:33 Output from node: r1n1 retval: 0 inet 169.254.1.1/16 brd 169.254.255.255 scope global private.4 Output from node: r2n1 retval: 0 inet 169.254.2.1/16 brd 169.254.255.255 scope global private.4 Output from node: r3n1 retval: 0 inet 169.254.3.1/16 brd 169.254.255.255 scope global private.4 Output from node: r4n1 retval: 0 inet 169.254.4.1/16 brd 169.254.255.255 scope global private.4 -
將套件從系統的第一個節點 (R1N1) 複製到下列其他機架主體:
範例:
admin@ecsnode1~> scp xDoctor4ECS-4.8-79.1.noarch.rpm 169.254.2.1:/home/admin/ xDoctor4ECS-4.8-79.1.noarch.rpm 100% 32MB 31.9MB/s 00:00 admin@ecsnode1~> scp xDoctor4ECS-4.8-79.1.noarch.rpm 169.254.3.1:/home/admin/ xDoctor4ECS-4.8-79.1.noarch.rpm 100% 32MB 31.9MB/s 00:00 admin@ecsnode1~> scp xDoctor4ECS-4.8-79.1.noarch.rpm 169.254.4.1:/home/admin/ xDoctor4ECS-4.8-79.1.noarch.rpm 100% 32MB 31.9MB/s 00:00 admin@ecsnode1~>
-
根據上述步驟 e,在先前識別的上述每個機架主體上執行相同的 xDoctor 安裝命令。
命令:
# sudo xdoctor --upgrade --local=/home/admin/xDoctor4ECS-4.8-79.1.noarch.rpm
-
2.執行前置檢查。
-
使用 svc_dt 命令檢查 DT 是否穩定。如果「Unready #」欄顯示 0,則 DT 會保持穩定。如果是,請前往下一個步驟。如果否,請等待 15 分鐘,然後再次檢查。如果 DT 尚未穩定下來,請向 ECS 支援小組開立服務要求。
命令:
# svc_dt check -b
範例:
admin@node1:~> svc_dt check -b svc_dt v1.0.25 (svc_tools v2.0.2) Started 2021-12-16 16:44:51 Date Total DT Unknown # Unready # RIS Fail # Dump Fail # Check type Time since check Check successful 2021-12-16 16:43:44 2432 0 0 0 0 AutoCheck 1m 7s True 2021-12-16 16:42:33 2432 0 0 0 0 AutoCheck 2m 18s True 2021-12-16 16:41:23 2432 0 0 0 0 AutoCheck 3m 28s True 2021-12-16 16:40:13 2432 0 0 0 0 AutoCheck 4m 38s True 2021-12-16 16:39:02 2432 0 0 0 0 AutoCheck 5m 49s True 2021-12-16 16:37:52 2432 0 0 0 0 AutoCheck 6m 59s True 2021-12-16 16:36:42 2432 0 0 0 0 AutoCheck 8m 9s True 2021-12-16 16:35:31 2432 0 0 0 0 AutoCheck 9m 20s True 2021-12-16 16:34:21 2432 0 0 0 0 AutoCheck 10m 30s True 2021-12-16 16:33:11 2432 0 0 0 0 AutoCheck 11m 40s True
-
使用 svc_patch 命令驗證所有節點是否處於連線狀態。如果是,請前往下一個步驟。如果否,請調查原因,使它重新連線,然後再次運行檢查。如果無法將節點連線,請向 ECS 支援小組開立服務要求以進行調查。
命令:
# /opt/emc/xdoctor/patches/CVE-2021-44228_45046_log4j-fix/svc_patch status
範例:
admin@node1:~> /opt/emc/xdoctor/patches/CVE-2021-44228_45046_log4j-fix/svc_patch status svc_patch Version 2.9.1 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online DONE Checking Installed Patches and Dependencies DONE Patches/releases currently installed: [ None detected ] Patches that need to be installed: CVE-2021-44228_log4j-fix_3.3.x-3.6.2 (PatchID: 3298) Files that need to be installed: /opt/storageos/lib/log4j-core-2.5.jar (from CVE-2021-44228_log4j-fix_3.3.x-3.6.2) The following services need to be restarted: ALL
3.使用 xDoctor 隨附的 svc_patch 工具套用系統修補程式。
-
執行 svc_patch 命令,輸入「y」,然後在系統提示您安裝修補程式時按下 Enter 鍵。此命令可在任何 ECS 節點上執行。
命令:
# screen -S patchinstall
# unset TMOUT
# /opt/emc/xdoctor/patches/CVE-2021-44228_45046_log4j-fix/svc_patch install
範例:
注意:以下輸出中有一個要繼續進行的提示。admin@node1:~> screen -S patchinstall admin@node1:~> unset TMOUT admin@node1:~> /opt/emc/xdoctor/patches/CVE-2021-44228_45046_log4j-fix/svc_patch install svc_patch Version 2.9.1 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online DONE Checking Installed Patches and Dependencies DONE Patches/releases currently installed: [ None detected ] Patches that will be installed: CVE-2021-44228_log4j-fix_3.3.x-3.6.2 (PatchID: 3298) Files that will be installed: /opt/storageos/lib/log4j-core-2.5.jar (from CVE-2021-44228_log4j-fix_3.3.x-3.6.2) The following services will be restarted: ALL Patch Type: Standalone Number of nodes: 8 Number of seconds to wait between restarting node services: 450 Check DT status between node service restarts: true Do you wish to continue (y/n)?y [...Truncated Output of each node Distributing files and restarting services...] Distributing files to node 1xx.xxx.xx.xx Distributing patch installer to node '1xx.xxx.xx.xx' Restarting services on 1xx.xxx.xx.xx Restarting all services Waiting 180 seconds for services to stabilize... [...Truncated Output of each node Distributing files and restarting services...] Stopping ViPR services..done Services status 3: stat georeceiver eventsvc blobsvc dataheadsvc blobsvc-perf blobsvc-fi resourcesvc resourcesvc-perf resourcesvc-fi rm cm ssm objcontrolsvc metering sr storageserver nvmeengine nvmetargetviewer dtquery dtsm vnest coordinatorsvc ecsportalsvc transformsvc Setting up SSL certificates ...done Starting ViPR services..done Waiting 300 seconds for services to stabilize...DONE Patching complete. admin@node1:~>
-
根據上述輸出完成更新時,結束工作階段畫面。
範例:
admin@node1:/> exit logout [screen is terminating] admin@node1:/>
注意:如果您在執行進行中時意外關閉 PuTTY 工作階段,請登入同一個節點並執行以下命令以重新連接:命令:
# screen -ls
admin@node 1:~> screen -ls There is a screen on: 114475.pts-0.ecs-n3 (Detached) 1 Socket in /var/run/uscreens/S-admin.重新連接至自先前輸出中分離的工作階段。
admin@node1:~> screen -r 114475.pts-0.ecs-n3
4.確認已套用修正程式。
-
以下輸出來自已套用修正的系統。
命令:
# /opt/emc/xdoctor/patches/CVE-2021-44228_45046_log4j-fix/svc_patch status
範例:
admin@node1:/> /opt/emc/xdoctor/patches/CVE-2021-44228_45046_log4j-fix/svc_patch status svc_patch Version 2.9.1 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online DONE Checking Installed Patches and Dependencies DONE Patches/releases currently installed: CVE-2021-44228_log4j-fix_3.3.x-3.6.2 (PatchID: 3298) Fixes for Log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046 Patches that need to be installed: No files need to be installed. The following services need to be restarted: No services need to be restarted. -
以下輸出來自尚未套用修正的系統。
範例:
admin@node1:/> /opt/emc/xdoctor/patches/CVE-2021-44228_45046_log4j-fix/svc_patch status svc_patch Version 2.9.1 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online DONE Checking Installed Patches and Dependencies DONE Patches/releases currently installed: [ None detected ] Patches that need to be installed: CVE-2021-44228_log4j-fix_3.3.x-3.6.2 (PatchID: 3298) Files that need to be installed: /opt/storageos/lib/log4j-core-2.5.jar (from CVE-2021-44228_log4j-fix_3.3.x-3.6.2) The following services need to be restarted: ALL
故障診斷:
-
DT 穩定時間過長
-
如果 DT 穩定花費的時間超過預設的 7.5 分鐘,svc_patch應用程式會提示您繼續或中止修補程序。
範例:
admin@node1:~> /opt/emc/xdoctor/patches/CVE-2021-44228_45046_log4j-fix/svc_patch install [...Truncated Output of each node Distributing files and restarting services...] Restarting services on 1xx.xx.xx.xx Restarting all services Waiting 180 seconds for services to stabilize...DONE Waiting for DTs to come online ERROR: DT Check failed. DTs did not come ready or could not be checked after several passes. Do you wish to continue anyway (y/n)?
-
在另一個節點上開啟 PuTTY 工作階段,然後執行svc_dt命令以檢查在「Unready #」欄中的 DT。如果沒有「0」值,請等待 15 分鐘,然後再次執行檢查。沒有未就緒 DT 時,請使用 svc_patch 返回工作階段。回答「是」並繼續。如果svc_dt繼續在「Unready #」DT 中列出值,請向 ECS 支援小組開立服務要求。
命令:
# svc_dt check -b
範例:
admin@node1:~> svc_dt check -b svc_dt v1.0.25 (svc_tools v2.0.2) Started 2021-12-15 17:18:52 Date Total DT Unknown # Unready # RIS Fail # Dump Fail # Check type Time since check Check successful 2021-12-15 17:17:54 1920 0 0 0 0 AutoCheck 0m 58s True 2021-12-15 17:16:44 1920 0 0 0 0 AutoCheck 2m 8s True 2021-12-15 17:16:10 1920 0 0 0 0 Manual Check 2m 42s True 2021-12-15 17:15:34 1920 0 0 0 0 AutoCheck 3m 18s True 2021-12-15 17:14:24 1920 0 0 0 0 AutoCheck 4m 28s True 2021-12-15 17:13:13 1920 0 0 0 0 AutoCheck 5m 39s True 2021-12-15 17:12:03 1920 0 0 0 0 AutoCheck 6m 49s True 2021-12-15 17:10:53 1920 0 0 0 0 AutoCheck 7m 59s True 2021-12-15 17:09:43 1920 0 0 0 0 AutoCheck 9m 9s True 2021-12-15 17:08:32 1920 0 0 0 0 AutoCheck 10m 20s True
-
-
所有節點上的所有服務都不會重新啟動,因為未在畫面中執行,PuTTY 工作階段會提前結束。
範例:重新登入後,服務會在六個節點的四個節點上重新開機。請參閱以下反白顯示的節點 5 和 6。
admin@node1:~> /opt/emc/xdoctor/patches/CVE-2021-44228_45046_log4j-fix/svc_patch status svc_patch Version 2.9.1 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online DONE Checking Installed Patches and Dependencies DONE All nodes currently do not have the same patches installed. Patches/releases currently installed: 169.254.1.1: CVE-2021-44228_45046_log4j-fix 169.254.1.2: CVE-2021-44228_45046_log4j-fix 169.254.1.3: CVE-2021-44228_45046_log4j-fix 169.254.1.4: CVE-2021-44228_45046_log4j-fix 169.254.1.5: CVE-2021-44228_45046_log4j-fix 169.254.1.6: CVE-2021-44228_45046_log4j-fix Patches that need to be installed: 169.254.1.1: <None> 169.254.1.2: <None> 169.254.1.3: <None> 169.254.1.4: <None> 169.254.1.5: <None> 169.254.1.6: <None> Files that need to be installed: 169.254.1.1: <None> 169.254.1.2: <None> 169.254.1.3: <None> 169.254.1.4: <None> 169.254.1.5: <None> 169.254.1.6: <None> Services that need to be restarted: 169.254.1.1: <None> 169.254.1.2: <None> 169.254.1.3: <None> 169.254.1.4: <None> 169.254.1.5: ALL 169.254.1.6: ALL admin@ecsnode1:~>解決方案:
再次執行程序,原本遺失的剩餘節點會將其服務重新開機。其中的服務已重新開機的原始節點未受影響。admin@node1:~> /opt/emc/xdoctor/patches/CVE-2021-44228_45046_log4j-fix/svc_patch install svc_patch Version 2.9.1 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online DONE Checking Installed Patches and Dependencies DONE All nodes currently do not have the same patches installed. Patches/releases currently installed: 169.254.1.1: CVE-2021-44228_45046_log4j-fix 169.254.1.2: CVE-2021-44228_45046_log4j-fix 169.254.1.3: CVE-2021-44228_45046_log4j-fix 169.254.1.4: CVE-2021-44228_45046_log4j-fix 169.254.1.5: CVE-2021-44228_45046_log4j-fix 169.254.1.6: CVE-2021-44228_45046_log4j-fix Patches that will be installed: 169.254.1.1: <None> 169.254.1.2: <None> 169.254.1.3: <None> 169.254.1.4: <None> 169.254.1.5: <None> 169.254.1.6: <None> Files that will be installed: 169.254.1.1: <None> 169.254.1.2: <None> 169.254.1.3: <None> 169.254.1.4: <None> 169.254.1.5: <None> 169.254.1.6: <None> Services that will be restarted: 169.254.1.1: <None> 169.254.1.2: <None> 169.254.1.3: <None> 169.254.1.4: <None> 169.254.1.5: ALL 169.254.1.6: ALL Patch Type: Standalone Number of nodes: 8 Number of seconds to wait between restarting node services: 450 Check DT status between node service restarts: true Do you wish to continue (y/n)?y No files to install on 169.254.1.1 Distributing patch installer to node '169.254.1.1' No files to install on 169.254.1.2 Distributing patch installer to node '169.254.1.2' No files to install on 169.254.1.3 Distributing patch installer to node '169.254.1.3' No files to install on 169.254.1.4 Distributing patch installer to node '169.254.1.4' No files to install on 169.254.1.5 Distributing patch installer to node '169.254.1.5' No files to install on 169.254.1.6 Distributing patch installer to node '169.254.1.6' No services to restart on 169.254.1.1 No services to restart on 169.254.1.2 No services to restart on 169.254.1.3 No services to restart on 169.254.1.4 Restarting services on 169.254.1.5 Restarting all services Waiting 450 seconds for services to stabilize...DONE Waiting for DTs to come online Restarting services on 169.254.1.6 Restarting all services Waiting 450 seconds for services to stabilize...DONE Waiting for DTs to come online Patching complete. admin@ecsnode1:~> -
套用修補程式時無法將主機新增至已知主機的清單。
範例:
svc_patch Version 2.9.1 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online FAILED ERROR: Could not execute commands on the object-main container on 169.254.x.x Output was 'Failed to add the host to the list of known hosts (/home/admin/.ssh/known_hosts). :patchtest:' Patching is unable to continue with unreachable nodes. To proceed: - Resolve problems accessing node(s) from this one. - Manually pass a MACHINES file containing the list of working nodes to patch (not recommended). - Contact your next level of support for other options or assistance.
解決方案:
原因可能是檔案 /home/admin/.ssh/known_hosts 的使用者為 root,預設為系統管理員。範例:
admin@node1:~> ls -l /home/admin/.ssh/known_hosts -rw------- 1 root root 1802 Jul 23 2019 /home/admin/.ssh/known_hosts admin@ecs:~>
若要從其他 PuTTY 工作階段中修正問題,請登入報告的節點,然後在使用者所在節點上為根使用者時,使用以下命令在所有報告的節點上將其變更為管理員:
命令:
# sudo chown admin:users /home/admin/.ssh/known_hosts
範例:
admin@node1:~> sudo chown admin:users /home/admin/.ssh/known_hosts
現在再重新執行 svc_patch 命令,應該會通過。
admin@node1:~> /opt/emc/xdoctor/patches/CVE-2021-44228_45046_log4j-fix/svc_patch install
-
由於 /home/admin/.ssh/known_hosts 中的主機金鑰不正確,因此無法在 169.254.x.x 的物件主容器上執行命令。
範例:
svc_patch Version 2.9.1 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online FAILED ERROR: Could not execute commands on the object-main container on 169.254.x.x Output was '@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:RcwOsFj7zPA5p5kSeYovF4UlZTm125nLVeCL1zCqOzc. Please contact your system administrator. Add correct host key in /home/admin/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /home/admin/.ssh/known_hosts:14 You can use following command to remove the offending key: ssh-keygen -R 169.254.x.x -f /home/admin/.ssh/known_hosts Password authentication is disabled to avoid man-in-the-middle attacks. Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks. :patchtest:' Patching is unable to continue with unreachable nodes. To proceed: - Resolve problems accessing node(s) from this one. - Manually pass a MACHINES file containing the list of working nodes to patch (not recommended). - Contact your next level of support for other options or assistance.
解決方案:
請聯絡 ECS 支援以取得解決方案。 -
使用 xDoctor 4.8-85.0 版來套用此修補程式時,您可能會收到一條警示,指出 md5sum 與 svc_base.py 不相符:
# /opt/emc/xdoctor/patches/CVE-2021-44228_45046_log4j-fix/svc_patch status svc_patch Version 2.9.1 Verifying patch bundle consistency FAILED Patch bundle onsistency check failed - md5sums for one or more files in the patch bundle were invalid, or files were not found. svc_patch will attempt to validate files in the patch using MD5SUMS.bundle, which is bundled with the patch. Output from md5sum was: ./lib/libs/svc_base.py: FAILED md5sum: WARNING: 1 computed checksum did NOT match
解決方案:
在套用修補程式以更新 md5sum 之前,請執行下列命令:# sudo sed -i '/svc_base.py/d' /opt/emc/xdoctor/patches/CVE-2021-44228_45046_log4j-fix/MD5SUMS.bundle # sudo sed -i '/MD5SUMS.bundle/d' /opt/emc/xdoctor/.xdr_chksum
Affected Products
Elastic Cloud StorageProducts
ECS, ECS ApplianceArticle Properties
Article Number: 000194467
Article Type: Solution
Last Modified: 02 Dec 2025
Version: 28
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.