ECS:ECS 对 Apache Log4j 远程代码执行漏洞的解决方案
Summary: Apache Log4j 安全漏洞
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
CVE 标识符 CVE-2021-44228
CVE 标识符 CVE_2021-45046
Apache 出版物:Apache Log4j 远程代码执行(英文版)
Cause
Apache Log4j 安全漏洞
Resolution
谁应该运行此过程?
戴尔要求客户执行此过程,升级 xDoctor 并安装修补程序。这是最快和最安全的方法,因为它可以避免长时间暴露于此 Apache 漏洞。本知识库文章详细介绍了所有步骤。此外,本知识库文章还提供视频指南,可按照以下链接进行作。
视频:Apache-Log4j
该过程的影响:
重新启动服务时可能会出现 I/O 超时。访问群集的应用程序必须能够处理 I/O 超时。执行此过程时,建议在维护窗口进行。
活动所需的时间(大概数值):
在服务重新启动之间,默认情况下每个节点设置大约 7 分钟的延迟。虚拟数据中心 (VDC) 中的节点数量乘以 7 分钟 + 准备、DT 稳定和后期检查所需的 60 分钟。
例子:
48 节点 VDC 系统可能需要大约 6.5 小时:
7.5 分钟 X 48(VDC 节点数)+ 30 分钟(准备)= 6.5 小时或 390 分钟
8 节点 VDC 系统可能需要大约 1.5 小时:
7.5 分钟 X 8(VDC 节点数)+ 30 分钟(准备)= 1.5 小时或 90 分钟
常见问题 (FAQ):
问:修补程序是 xDoctor 版本的一部分吗?
一个:修补程序安装脚本是 xDoctor 版本 4.8-79.1 及更高版本的一部分。有关下载 xDoctor 和执行修补程序安装的说明在解决步骤中。
问:是否可以并行更新多个 VDC?
一个:不。 一次修补 1 个 VDC。
问:是否可以在运行代码版本 3.2.x 或更低版本的 ECS 上应用此修补程序?
答:否,此修补程序仅适用于 ECS 版本 3.3.x - 3.6.x。创建服务请求以计划较早版本的升级。
问:如果在运行此过程后升级 ECS,是否在升级后重新运行该过程?
一个:否( 如果升级到 DSA-2021-273 中指定的具有永久修复的代码版本)。是, 如果升级到此相同 DSA 中未 指定的代码版本。
问:更换节点、重新映像或扩展后,是否需要在以前安装修补程序的系统上重新应用修补程序?
一个:否(如果 VDC 运行的是 DSA-2021-273 中指定的代码版本)。是( 如果对运行此相同 DSA 中 未 指定的代码版本的 VDC 执行任何这些作)。如果这些情形需要修补程序,则相关戴尔工程师会与您联系,告知您需要更新。
问:您应以什么用户身份登录才能运行此知识库文章中列出的所有命令?
一个:Admin
问:svc_patch是否必须在所有机架上运行,或者在 VDC 中有多个机架的情况下使用专用 MACHINES 文件运行?
一个:否,它会自动检测是否存在多个机架,并更新该 VDC 上所有机架上的所有节点。
问:我注意到目标 xDoctor 版本现在是 4.8-79.1,而不是 4.8-79.0。为什么?
答: xDoctor 版本频繁发布,因此我们始终建议升级到最高版本。但是,如果您之前使用 4.8-79.0 运行过 Apache 修复,则系统 受到全面保护 ,免受漏洞的影响,并且不必重新运行。
解决方案摘要:
- 将 ECS xDoctor 软件升级到版本 4.8.-79.1 或更高版本
- 运行预检查。
- 使用 xDoctor 附带的 svc_patch 工具应用系统修补程序。
- 确认修复已应用。
- 故障处理。
解决方案步骤:
1.将 ECS xDoctor 软件升级到可用的最新版本。
-
检查系统上运行的 xDoctor 版本。如果版本为 4.8-79.1 或更高版本,请转至步骤 2“运行预检查”。如果不是,请继续执行以下步骤。
命令:
# sudo xdoctor --version
示例:
admin@node1:~> sudo xdoctor --version 4.8-79.1
- 登录到 支持站点,直接连接到下载 链接,使用关键字搜索搜索 xDoctor,然后单击 xDoctor RPM 链接进行下载。要查看发行说明,请按照 发行说明进行作,从侧边栏中选择手册和文档(它们应该可从哪个位置下载)。
- 下载 RPM 后,使用任何远程 SCP 程序将文件上传到第一个 ECS 节点上的 /home/admin目录。
- 上传完成后,以管理员身份通过 SSH 登录到 ECS 系统的第一个节点。
-
使用新分发的版本在所有节点上升级 xDoctor。
命令:
# sudo xdoctor --upgrade --local=/home/admin/xDoctor4ECS-4.8-79.1.noarch.rpm
示例:
admin@node1:~> sudo xdoctor --upgrade --local=/home/admin/xDoctor4ECS-4.8-79.1.noarch.rpm 2021-12-20 12:06:11,358: xDoctor_4.8-78.2 - INFO : xDoctor Upgrader Instance (2:FTP_SFTP) 2021-12-20 12:06:11,358: xDoctor_4.8-78.2 - INFO : Local Upgrade (/home/admin/xDoctor4ECS-4.8-79.1.noarch.rpm) 2021-12-20 12:06:11,392: xDoctor_4.8-78.2 - INFO : Current Installed xDoctor version is 4.8-78.2 2021-12-20 12:06:11,429: xDoctor_4.8-78.2 - INFO : Requested package version is 4.8-79.1 2021-12-20 12:06:11,430: xDoctor_4.8-78.2 - INFO : Updating xDoctor RPM Package (RPM) 2021-12-20 12:06:11,482: xDoctor_4.8-78.2 - INFO : - Distribute package 2021-12-20 12:06:12,099: xDoctor_4.8-78.2 - INFO : - Install new rpm package 2021-12-20 12:06:37,829: xDoctor_4.8-78.2 - INFO : xDoctor successfully updated to version 4.8-79.1
-
如果环境是多机架 VDC,则必须在每个机架的第一个节点上安装新的 xDoctor 软件包。要确定这些机架主节点,请运行以下命令。在此实例中,突出显示了四个机架和四个机架主节点。
-
命令:
# svc_exec -m "ip address show private.4 |grep -w inet"
示例:
admin@ecsnode1~> svc_exec -m "ip address show private.4 |grep -w inet" svc_exec v1.0.2 (svc_tools v2.1.0) Started 2021-12-20 14:03:33 Output from node: r1n1 retval: 0 inet 169.254.1.1/16 brd 169.254.255.255 scope global private.4 Output from node: r2n1 retval: 0 inet 169.254.2.1/16 brd 169.254.255.255 scope global private.4 Output from node: r3n1 retval: 0 inet 169.254.3.1/16 brd 169.254.255.255 scope global private.4 Output from node: r4n1 retval: 0 inet 169.254.4.1/16 brd 169.254.255.255 scope global private.4 -
根据以下方面,将软件包从系统的第一个节点 (R1N1) 复制到其他机架主节点:
示例:
admin@ecsnode1~> scp xDoctor4ECS-4.8-79.1.noarch.rpm 169.254.2.1:/home/admin/ xDoctor4ECS-4.8-79.1.noarch.rpm 100% 32MB 31.9MB/s 00:00 admin@ecsnode1~> scp xDoctor4ECS-4.8-79.1.noarch.rpm 169.254.3.1:/home/admin/ xDoctor4ECS-4.8-79.1.noarch.rpm 100% 32MB 31.9MB/s 00:00 admin@ecsnode1~> scp xDoctor4ECS-4.8-79.1.noarch.rpm 169.254.4.1:/home/admin/ xDoctor4ECS-4.8-79.1.noarch.rpm 100% 32MB 31.9MB/s 00:00 admin@ecsnode1~>
-
按照上述步骤 e,在之前标识的上述每个机架主节点上运行相同的 xDoctor 安装命令。
命令:
# sudo xdoctor --upgrade --local=/home/admin/xDoctor4ECS-4.8-79.1.noarch.rpm
-
2.运行预检查。
-
使用 svc_dt 命令检查 DT 是否稳定。如果“Unready #”列显示 0,则 DT 是稳定的。如果是,请转至下一个检查。如果不是,请等待 15 分钟,然后再次检查。如果 DT 尚未稳定,请向 ECS 支持团队提出服务请求。
命令:
# svc_dt check -b
示例:
admin@node1:~> svc_dt check -b svc_dt v1.0.25 (svc_tools v2.0.2) Started 2021-12-16 16:44:51 Date Total DT Unknown # Unready # RIS Fail # Dump Fail # Check type Time since check Check successful 2021-12-16 16:43:44 2432 0 0 0 0 AutoCheck 1m 7s True 2021-12-16 16:42:33 2432 0 0 0 0 AutoCheck 2m 18s True 2021-12-16 16:41:23 2432 0 0 0 0 AutoCheck 3m 28s True 2021-12-16 16:40:13 2432 0 0 0 0 AutoCheck 4m 38s True 2021-12-16 16:39:02 2432 0 0 0 0 AutoCheck 5m 49s True 2021-12-16 16:37:52 2432 0 0 0 0 AutoCheck 6m 59s True 2021-12-16 16:36:42 2432 0 0 0 0 AutoCheck 8m 9s True 2021-12-16 16:35:31 2432 0 0 0 0 AutoCheck 9m 20s True 2021-12-16 16:34:21 2432 0 0 0 0 AutoCheck 10m 30s True 2021-12-16 16:33:11 2432 0 0 0 0 AutoCheck 11m 40s True
-
使用 svc_patch 命令验证所有节点是否均处于联机状态。如果是,请转至下一步。如果没有,请调查原因,使其恢复联机状态,然后再次运行检查。如果某个节点无法进入联机状态,请向 ECS 支持团队提出服务请求以进行调查。
命令:
# /opt/emc/xdoctor/patches/CVE-2021-44228_45046_log4j-fix/svc_patch status
示例:
admin@node1:~> /opt/emc/xdoctor/patches/CVE-2021-44228_45046_log4j-fix/svc_patch status svc_patch Version 2.9.1 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online DONE Checking Installed Patches and Dependencies DONE Patches/releases currently installed: [ None detected ] Patches that need to be installed: CVE-2021-44228_log4j-fix_3.3.x-3.6.2 (PatchID: 3298) Files that need to be installed: /opt/storageos/lib/log4j-core-2.5.jar (from CVE-2021-44228_log4j-fix_3.3.x-3.6.2) The following services need to be restarted: ALL
3.使用 xDoctor 附带的 svc_patch 工具应用系统修补程序。
-
运行svc_patch命令,在系统提示安装修补程序时键入“y”并按 Enter 键。该命令可以在任何 ECS 节点上运行。
命令:
# screen -S patchinstall
# unset TMOUT
# /opt/emc/xdoctor/patches/CVE-2021-44228_45046_log4j-fix/svc_patch install
示例:
提醒:下面的输出中会有继续作的提示。admin@node1:~> screen -S patchinstall admin@node1:~> unset TMOUT admin@node1:~> /opt/emc/xdoctor/patches/CVE-2021-44228_45046_log4j-fix/svc_patch install svc_patch Version 2.9.1 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online DONE Checking Installed Patches and Dependencies DONE Patches/releases currently installed: [ None detected ] Patches that will be installed: CVE-2021-44228_log4j-fix_3.3.x-3.6.2 (PatchID: 3298) Files that will be installed: /opt/storageos/lib/log4j-core-2.5.jar (from CVE-2021-44228_log4j-fix_3.3.x-3.6.2) The following services will be restarted: ALL Patch Type: Standalone Number of nodes: 8 Number of seconds to wait between restarting node services: 450 Check DT status between node service restarts: true Do you wish to continue (y/n)?y [...Truncated Output of each node Distributing files and restarting services...] Distributing files to node 1xx.xxx.xx.xx Distributing patch installer to node '1xx.xxx.xx.xx' Restarting services on 1xx.xxx.xx.xx Restarting all services Waiting 180 seconds for services to stabilize... [...Truncated Output of each node Distributing files and restarting services...] Stopping ViPR services..done Services status 3: stat georeceiver eventsvc blobsvc dataheadsvc blobsvc-perf blobsvc-fi resourcesvc resourcesvc-perf resourcesvc-fi rm cm ssm objcontrolsvc metering sr storageserver nvmeengine nvmetargetviewer dtquery dtsm vnest coordinatorsvc ecsportalsvc transformsvc Setting up SSL certificates ...done Starting ViPR services..done Waiting 300 seconds for services to stabilize...DONE Patching complete. admin@node1:~>
-
根据上述输出完成更新后,退出会话屏幕。
示例:
admin@node1:/> exit logout [screen is terminating] admin@node1:/>
提醒:如果您在执行过程中意外关闭了 PuTTY 会话,请通过重新登录到同一节点并运行以下命令来重新连接:命令:
# screen -ls
admin@node 1:~> screen -ls There is a screen on: 114475.pts-0.ecs-n3 (Detached) 1 Socket in /var/run/uscreens/S-admin.从以前的输出重新连接到已断开的会话。
admin@node1:~> screen -r 114475.pts-0.ecs-n3
4.确认修复已应用。
-
下面的输出来自已应用修复的系统。
命令:
# /opt/emc/xdoctor/patches/CVE-2021-44228_45046_log4j-fix/svc_patch status
示例:
admin@node1:/> /opt/emc/xdoctor/patches/CVE-2021-44228_45046_log4j-fix/svc_patch status svc_patch Version 2.9.1 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online DONE Checking Installed Patches and Dependencies DONE Patches/releases currently installed: CVE-2021-44228_log4j-fix_3.3.x-3.6.2 (PatchID: 3298) Fixes for Log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046 Patches that need to be installed: No files need to be installed. The following services need to be restarted: No services need to be restarted. -
下面的输出来自尚未应用修复的系统。
示例:
admin@node1:/> /opt/emc/xdoctor/patches/CVE-2021-44228_45046_log4j-fix/svc_patch status svc_patch Version 2.9.1 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online DONE Checking Installed Patches and Dependencies DONE Patches/releases currently installed: [ None detected ] Patches that need to be installed: CVE-2021-44228_log4j-fix_3.3.x-3.6.2 (PatchID: 3298) Files that need to be installed: /opt/storageos/lib/log4j-core-2.5.jar (from CVE-2021-44228_log4j-fix_3.3.x-3.6.2) The following services need to be restarted: ALL
故障处理:
-
DT 稳定用时太长
-
如果 DT 稳定所需的时间超过默认的 7.5 分钟,svc_patch应用程序会提示继续或停止修补过程。
示例:
admin@node1:~> /opt/emc/xdoctor/patches/CVE-2021-44228_45046_log4j-fix/svc_patch install [...Truncated Output of each node Distributing files and restarting services...] Restarting services on 1xx.xx.xx.xx Restarting all services Waiting 180 seconds for services to stabilize...DONE Waiting for DTs to come online ERROR: DT Check failed. DTs did not come ready or could not be checked after several passes. Do you wish to continue anyway (y/n)?
-
在另一个节点上打开 PuTTY 会话svc_dt然后运行命令以检查“Unready #”列中的 DT。如果没有“0”值,请等待 15 分钟,然后再次运行检查。当没有未就绪的 DT 时,返回到 svc_patch 的会话。回答“y”,然后继续。如果svc_dt继续在“Unready #”DTs 中列出值,请向 ECS 支持团队提出服务请求。
命令:
# svc_dt check -b
示例:
admin@node1:~> svc_dt check -b svc_dt v1.0.25 (svc_tools v2.0.2) Started 2021-12-15 17:18:52 Date Total DT Unknown # Unready # RIS Fail # Dump Fail # Check type Time since check Check successful 2021-12-15 17:17:54 1920 0 0 0 0 AutoCheck 0m 58s True 2021-12-15 17:16:44 1920 0 0 0 0 AutoCheck 2m 8s True 2021-12-15 17:16:10 1920 0 0 0 0 Manual Check 2m 42s True 2021-12-15 17:15:34 1920 0 0 0 0 AutoCheck 3m 18s True 2021-12-15 17:14:24 1920 0 0 0 0 AutoCheck 4m 28s True 2021-12-15 17:13:13 1920 0 0 0 0 AutoCheck 5m 39s True 2021-12-15 17:12:03 1920 0 0 0 0 AutoCheck 6m 49s True 2021-12-15 17:10:53 1920 0 0 0 0 AutoCheck 7m 59s True 2021-12-15 17:09:43 1920 0 0 0 0 AutoCheck 9m 9s True 2021-12-15 17:08:32 1920 0 0 0 0 AutoCheck 10m 20s True
-
-
由于未在屏幕中运行,并且 PuTTY 会话过早结束,因此不会在所有节点上重新启动所有服务。
示例:重新登录后,六个节点中有四个节点上的服务重新启动。请参阅下面突出显示的节点 5 和 6。
admin@node1:~> /opt/emc/xdoctor/patches/CVE-2021-44228_45046_log4j-fix/svc_patch status svc_patch Version 2.9.1 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online DONE Checking Installed Patches and Dependencies DONE All nodes currently do not have the same patches installed. Patches/releases currently installed: 169.254.1.1: CVE-2021-44228_45046_log4j-fix 169.254.1.2: CVE-2021-44228_45046_log4j-fix 169.254.1.3: CVE-2021-44228_45046_log4j-fix 169.254.1.4: CVE-2021-44228_45046_log4j-fix 169.254.1.5: CVE-2021-44228_45046_log4j-fix 169.254.1.6: CVE-2021-44228_45046_log4j-fix Patches that need to be installed: 169.254.1.1: <None> 169.254.1.2: <None> 169.254.1.3: <None> 169.254.1.4: <None> 169.254.1.5: <None> 169.254.1.6: <None> Files that need to be installed: 169.254.1.1: <None> 169.254.1.2: <None> 169.254.1.3: <None> 169.254.1.4: <None> 169.254.1.5: <None> 169.254.1.6: <None> Services that need to be restarted: 169.254.1.1: <None> 169.254.1.2: <None> 169.254.1.3: <None> 169.254.1.4: <None> 169.254.1.5: ALL 169.254.1.6: ALL admin@ecsnode1:~>解决方案:
再次运行该过程,最初遗漏的其余节点将重新启动其服务。服务已重新启动的原始节点未受影响。admin@node1:~> /opt/emc/xdoctor/patches/CVE-2021-44228_45046_log4j-fix/svc_patch install svc_patch Version 2.9.1 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online DONE Checking Installed Patches and Dependencies DONE All nodes currently do not have the same patches installed. Patches/releases currently installed: 169.254.1.1: CVE-2021-44228_45046_log4j-fix 169.254.1.2: CVE-2021-44228_45046_log4j-fix 169.254.1.3: CVE-2021-44228_45046_log4j-fix 169.254.1.4: CVE-2021-44228_45046_log4j-fix 169.254.1.5: CVE-2021-44228_45046_log4j-fix 169.254.1.6: CVE-2021-44228_45046_log4j-fix Patches that will be installed: 169.254.1.1: <None> 169.254.1.2: <None> 169.254.1.3: <None> 169.254.1.4: <None> 169.254.1.5: <None> 169.254.1.6: <None> Files that will be installed: 169.254.1.1: <None> 169.254.1.2: <None> 169.254.1.3: <None> 169.254.1.4: <None> 169.254.1.5: <None> 169.254.1.6: <None> Services that will be restarted: 169.254.1.1: <None> 169.254.1.2: <None> 169.254.1.3: <None> 169.254.1.4: <None> 169.254.1.5: ALL 169.254.1.6: ALL Patch Type: Standalone Number of nodes: 8 Number of seconds to wait between restarting node services: 450 Check DT status between node service restarts: true Do you wish to continue (y/n)?y No files to install on 169.254.1.1 Distributing patch installer to node '169.254.1.1' No files to install on 169.254.1.2 Distributing patch installer to node '169.254.1.2' No files to install on 169.254.1.3 Distributing patch installer to node '169.254.1.3' No files to install on 169.254.1.4 Distributing patch installer to node '169.254.1.4' No files to install on 169.254.1.5 Distributing patch installer to node '169.254.1.5' No files to install on 169.254.1.6 Distributing patch installer to node '169.254.1.6' No services to restart on 169.254.1.1 No services to restart on 169.254.1.2 No services to restart on 169.254.1.3 No services to restart on 169.254.1.4 Restarting services on 169.254.1.5 Restarting all services Waiting 450 seconds for services to stabilize...DONE Waiting for DTs to come online Restarting services on 169.254.1.6 Restarting all services Waiting 450 seconds for services to stabilize...DONE Waiting for DTs to come online Patching complete. admin@ecsnode1:~> -
应用修补程序时无法将主机添加到已知主机列表。
示例:
svc_patch Version 2.9.1 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online FAILED ERROR: Could not execute commands on the object-main container on 169.254.x.x Output was 'Failed to add the host to the list of known hosts (/home/admin/.ssh/known_hosts). :patchtest:' Patching is unable to continue with unreachable nodes. To proceed: - Resolve problems accessing node(s) from this one. - Manually pass a MACHINES file containing the list of working nodes to patch (not recommended). - Contact your next level of support for other options or assistance.
解决方案:
原因可能是文件 /home/admin/.ssh/known_hosts 的用户是 root,默认情况下应该是 admin。示例:
admin@node1:~> ls -l /home/admin/.ssh/known_hosts -rw------- 1 root root 1802 Jul 23 2019 /home/admin/.ssh/known_hosts admin@ecs:~>
要解决另一个 PuTTY 会话中的问题,请登录到报告的一个或多个节点,并在所有报告的节点上使用以下命令,将其作为 root 用户出现的节点上的用户更改为管理员:
命令:
# sudo chown admin:users /home/admin/.ssh/known_hosts
示例:
admin@node1:~> sudo chown admin:users /home/admin/.ssh/known_hosts
现在再次重新运行 svc_patch 命令,它应该会通过。
admin@node1:~> /opt/emc/xdoctor/patches/CVE-2021-44228_45046_log4j-fix/svc_patch install
-
由于 /home/admin/.ssh/known_hosts 中的主机密钥不正确,无法在 169.254.x.x 上的 object-main 容器上运行命令。
示例:
svc_patch Version 2.9.1 Verifying patch bundle consistency DONE Detecting nodes in current VDC DONE Reading in patch details (1 of 2) DONE Reading in patch details (2 of 2) DONE Validating nodes are online FAILED ERROR: Could not execute commands on the object-main container on 169.254.x.x Output was '@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:RcwOsFj7zPA5p5kSeYovF4UlZTm125nLVeCL1zCqOzc. Please contact your system administrator. Add correct host key in /home/admin/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /home/admin/.ssh/known_hosts:14 You can use following command to remove the offending key: ssh-keygen -R 169.254.x.x -f /home/admin/.ssh/known_hosts Password authentication is disabled to avoid man-in-the-middle attacks. Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks. :patchtest:' Patching is unable to continue with unreachable nodes. To proceed: - Resolve problems accessing node(s) from this one. - Manually pass a MACHINES file containing the list of working nodes to patch (not recommended). - Contact your next level of support for other options or assistance.
解决方案:
联系 ECS 支持人员以获得解决方案。 -
使用 xDoctor 版本 4.8-85.0 版本应用此修补程序时,您可能会收到一条警报,概述 md5sum 与 svc_base.py 不匹配:
# /opt/emc/xdoctor/patches/CVE-2021-44228_45046_log4j-fix/svc_patch status svc_patch Version 2.9.1 Verifying patch bundle consistency FAILED Patch bundle onsistency check failed - md5sums for one or more files in the patch bundle were invalid, or files were not found. svc_patch will attempt to validate files in the patch using MD5SUMS.bundle, which is bundled with the patch. Output from md5sum was: ./lib/libs/svc_base.py: FAILED md5sum: WARNING: 1 computed checksum did NOT match
解决方案:
在应用修补程序以更新 md5sum 之前,运行以下命令:# sudo sed -i '/svc_base.py/d' /opt/emc/xdoctor/patches/CVE-2021-44228_45046_log4j-fix/MD5SUMS.bundle # sudo sed -i '/MD5SUMS.bundle/d' /opt/emc/xdoctor/.xdr_chksum
Affected Products
Elastic Cloud StorageProducts
ECS, ECS ApplianceArticle Properties
Article Number: 000194467
Article Type: Solution
Last Modified: 02 Dec 2025
Version: 28
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.