升级原因:JumpServer作业管理中Ansible Playbook存在高危安全漏洞
(1)存在可读取任意文件的漏洞,CVE编号为CVE-2024-40628,
(2)存在任意文件写入的远程执行漏洞,CVE编号为CVE-2024-40629、CVE-2024-29201
漏洞通知:
https://avd.aliyun.com/detail/CVE-2024-29201?spm=0.2020520154.sas.57.3082XIkWXIkWX2&lang=zh
https://mp.weixin.qq.com/s/L92qwZKwCngYeBB-f3HE5w
漏洞影响版本:
JumpServer v3.0.0-v3.10.11版本,以及>=v4.0.0版本
修复方案:
■ 永久修复方案:升级JumpServer软件至上述安全版本。
■ 临时修复方案:关闭作业中心功能。关闭作业中心功能的具体步骤为:
以管理员身份登录至JumpServer堡垒机。依次选择【系统设置】 → 【功能设置】 → 【任务中心】,在打开的页面中关闭作业中心功能。
由于当前版本较低,选择了升级到最新稳定版本,如下方法适用于V3的版本,若是V2版本,由于有进行大的结构调整,此法并不适用
PS: 生产不可大意,在安装之前,先备份了服务器(当然,在升级的过程中也有备份配置及数据库–详见升级日志)
1. 下载及解压安装包
cd /opt
wget https://resource.fit2cloud.com/jumpserver/installer/releases/download/v3.10.12/jumpserver-installer-v3.10.12.tar.gz
tar xvf jumpserver-installer-v3.10.12.tar.gz
2. 安装升级
PS:千万不要通过堡垒机连接进行升级,不然。。得重来一次
cd /opt/jumpserver-installer-v3.10.12
./jmsctl.sh upgrade
3. 升级日志及互动
[root@jumper jumpserver-installer-v3.10.12]# ./jmsctl.sh upgrade
是否将版本更新至 v3.10.12 ? (y/n) (默认为 y): y
1. 检查配置文件
配置文件位置: /opt/jumpserver/config
/opt/jumpserver/config/config.txt [ √ ]
/opt/jumpserver/config/mariadb/mariadb.cnf [ √ ]
/opt/jumpserver/config/mysql/my.cnf [ √ ]
/opt/jumpserver/config/nginx/lb_http_server.conf [ √ ]
/opt/jumpserver/config/redis/redis.conf [ √ ]
/opt/jumpserver/config/nginx/cert/server.crt [ √ ]
/opt/jumpserver/config/nginx/cert/server.key [ √ ]
完成
2. 加载 Docker 镜像
[jumpserver/redis:6.2] exist, pass
[jumpserver/core-ce:v3.10.12] pulling
[jumpserver/kael:v3.10.12] pulling
[jumpserver/koko:v3.10.12] pulling
[jumpserver/chen:v3.10.12] pulling
[jumpserver/magnus:v3.10.12] pulling
[jumpserver/web:v3.10.12] pulling
[jumpserver/mariadb:10.6] exist, pass
[jumpserver/lion:v3.10.12] pulling
v3.10.12: Pulling from jumpserver/koko
76956b537f14: Pulling fs layer
6c99e3eb726c: Pulling fs layer
b69cf28de82b: Pulling fs layer
f58e568dac9d: Waiting
731d59caf1a0: Waiting
c346f65c3432: Waiting
21de7c5513dd: Waiting
c3d17e6265a8: Waiting
7ee6e7f6e913: Waiting
v3.10.12: Pulling from jumpserver/lion
0e0969fcaa82: Already exists
v3.10.12: Pulling from jumpserver/core-ce
76956b537f14: Pulling fs layer
8c100e54bf68: Waiting
7dabe7781910: Waiting
5aaf9b229242: Waiting
5104a32e73cb: Waiting
11b168802d0a: Waiting
6ec1cc84d44d: Waiting
07613103db90: Waiting
58a0effb8abc: Waiting
060f00525a16: Waiting
4f4fb700ef54: Waiting
v3.10.12: Pulling from jumpserver/kael
76956b537f14: Pulling fs layer
d6c7c8636f5f: Waiting
4f4fb700ef54: Waiting
b92d87d75165: Waiting
74defcbd5157: Waiting
17f3f02c0387: Waiting
445bfd18c4ee: Waiting
78370deee918: Waiting
v3.10.12: Pulling from jumpserver/web
8b960b89f5d6: Already exists
04e7578caeaa: Already exists
v3.10.12: Pulling from jumpserver/chen
0e0969fcaa82: Already exists
v3.10.12: Pulling from jumpserver/magnus
76956b537f14: Pulling fs layer
3caa23843c2f: Waiting
4f4fb700ef54: Waiting
878cfba6a911: Waiting
2cde2889d7ee: Waiting
22ea1733ae7a: Waiting
0a8d6c5907a0: Waiting
bd6da1b78c45: Waiting
40ae1d0b369c: Already exists
57a1056ea484: Already exists
f41a5d4a27f7: Already exists
f04e7ca99bec: Already exists
6989106bacf0: Already exists
9f4bf47e6a4b: Already exists
4b8d9d9e38a6: Already exists
c00d1142b331: Already exists
Extracting [========================================> ] 25.56MB/31.42MB5.56MB/31.42MB
Extracting [===============================================> ] 30.15MB/31.42MB====================> ] 30.15MB/31.42MB
62a8d6af2615: Waiting
76956b537f14: Extracting [================================================> ] 30.47MB/31.42MB
959b8469dbe2: Waiting
49f504afaedb: Waiting
0b965d456b24: Waiting
96999f85f516: Waiting
Pull complete 76956b537f14: Pull complete
Extracting [===============================================> ] 29.82MB/31.42MB======> ] 29.82MB/31.42MB
acb2cebd3212: Waiting
Pull complete 76956b537f14: Pull complete
6dd4b4a76121: Waiting
4448a7536881: Waiting
cb49393af980: Already exists
5ac1ebd8aebe: Already exists
76956b537f14: Extracting [==================================================>] 31.42MB/31.42MB
8c100e54bf68: Pull complete
7dabe7781910: Pull complete
6c99e3eb726c: Pull complete
b69cf28de82b: Pull complete
11b168802d0a: Downloading [================================================> ] 119.4MB/123.7MB
731d59caf1a0: Pull complete
07613103db90: Downloading [==================> ] 64MB/175.1MB
11b168802d0a: Downloading [================================================> ] 120.5MB/123.7MB
df083590b3e1: Extracting [============================> ] 4.817MB/8.342MB
d6c7c8636f5f: Extracting [===============================================> ] 42.66MB/45.1MB
4f4fb700ef54: Pull complete
df083590b3e1: Extracting [=====================================> ] 6.291MB/8.342MB
07613103db90: Extracting [=======> ] 25.62MB/175.1MB
22ea1733ae7a: Pull complete
df083590b3e1: Pull complete
4f4fb700ef54: Pull complete
62a8d6af2615: Pull complete
bc7ecb1b7fbd: Extracting [==========================> ] 10.42MB/19.32MB
4f4fb700ef54: Download complete
6a745e25eaac: Downloading [=> ] 40.89MB/1.26GB
bc7ecb1b7fbd: Extracting [=============================> ] 11.4MB/19.32MB
129cae4a72b1: Extracting [===========================> ] 10.22MB/18.46MB
6a745e25eaac: Downloading [=> ] 49.5MB/1.26GB
bc7ecb1b7fbd: Pull complete
4f4fb700ef54: Pull complete
6a745e25eaac: Downloading [====>
da72dbc5823c: Download complete
129cae4a72b1: Pull complete
7594e0700de5: Pull complete
acb2cebd3212: Pull complete
9f025fa7c356: Pull complete
6a745e25eaac: Pull complete
d8a1c4f41c20: Pull complete
1f9e492d0608: Pull complete
475b59140f20: Pull complete
da72dbc5823c: Pull complete
5a7aad107a2f: Pull complete
5e8559415195: Pull complete
5061f24b0c21: Pull complete
c655274ee27d: Pull complete
Digest: sha256:d0e8c33294d7ec6d0d78b89a0e7b6277a7f7fe64793db5661f8274808fb29cdf
Status: Downloaded newer image for swr.cn-north-1.myhuaweicloud.com/jumpserver/web:v3.10.12
swr.cn-north-1.myhuaweicloud.com/jumpserver/web:v3.10.12
Untagged: swr.cn-north-1.myhuaweicloud.com/jumpserver/web:v3.10.12
Untagged: swr.cn-north-1.myhuaweicloud.com/jumpserver/web@sha256:d0e8c33294d7ec6d0d78b89a0e7b6277a7f7fe64793db5661f8274808fb29cdf
完成
3. 备份数据库
正在备份...
[SUCCESS] 备份成功! 备份文件已存放至: /data/jumpserver/db_backup/jumpserver-v3.10.11-2024-07-19_14:36:43.sql
4. 备份配置文件
备份至 /data/jumpserver/db_backup/config-v3.10.11-2024-07-19_14:36:48.conf
5. 进行数据库变更
表结构变更可能需要一段时间, 请耐心等待
检测到 JumpServer 正在运行, 是否需要关闭并继续升级? (y/n) (默认为 y): y
[+] Running 11/10
✔ Container jms_lion Removed 10.4s
✔ Container jms_chen Removed 10.3s
✔ Container jms_celery Removed 3.8s
✔ Container jms_mysql Removed 2.7s
✔ Container jms_kael Removed 10.3s
✔ Container jms_redis Removed 0.3s
✔ Container jms_koko Removed 10.4s
✔ Container jms_magnus Removed 10.4s
✔ Container jms_core Removed 3.8s
✔ Container jms_web Removed 10.4s
✔ Network jms_net Removed 0.0s
[+] Running 4/4
✔ Network jms_net Created 0.0s
✔ Container jms_core Started 0.4s
✔ Container jms_mysql Started 0.3s
✔ Container jms_redis Started 0.4s
2024-07-19 14:37:38 Collect static files
ALLOWED_HOSTS:
- jumper.daanlab.com
- 10.10.10.1:8081
- core:8080
- 127.0.0.1
- 127.0.0.1:8080
- 127.0.0.1:80
- localhost:8080
- localhost:80
- core:8080
- core:80
ALLOWED_HOSTS:
- jumper.daanlab.com
- 10.10.10.1:8081
- core:8080
- 127.0.0.1
- 127.0.0.1:8080
- 127.0.0.1:80
- localhost:8080
- localhost:80
- core:8080
- core:80
2024-07-19 14:37:38 Collect static files done
2024-07-19 14:37:38 Check database structure change ...
2024-07-19 14:37:38 Migrate model change to database ...
Operations to perform:
Apply all migrations: accounts, acls, admin, applications, assets, audits, auth, authentication, captcha, common, contenttypes, django_cas_ng, django_celery_beat, labels, notifications, ops, orgs, perms, rbac, sessions, settings, terminal, tickets, users
Running migrations:
No migrations to apply.
Your models in app(s): 'authentication' have changes that are not yet reflected in a migration, and so won't be applied.
Run 'manage.py makemigrations' to make new migrations, and then re-run 'manage.py migrate' to apply them.
After migration, update builtin role permissions
- Update builtin roles
6. 清理镜像
是否需要清理旧版本镜像文件? (y/n) (默认为 y): n
7. 升级 Docker
8. 升级成功, 可以重新启动程序了
cd /opt/jumpserver-installer-v3.10.12
./jmsctl.sh start
启动jumper server
[root@jumper jumpserver-installer-v3.10.12]# ./jmsctl.sh start
[+] Running 10/10
✔ Container jms_celery Started 0.9s
✔ Container jms_koko Started 0.8s
✔ Container jms_core Started 1.0s
✔ Container jms_mysql Running 0.0s
✔ Container jms_lion Started 1.0s
✔ Container jms_chen Started 1.0s
✔ Container jms_magnus Started 0.9s
✔ Container jms_web Started 1.0s
✔ Container jms_kael Started 0.9s
✔ Container jms_redis Running
4. 查看jumper 状态
./jmsctl.sh status
5. 清理旧的镜像
由于在升级的过程中未进行清理旧的镜像,这里手动进行清理
5.1查看镜像
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
jumpserver/web v3.10.12 a3618f7df73a 8 days ago 1.53GB
jumpserver/lion v3.10.12 99144e13bfdc 8 days ago 261MB
jumpserver/chen v3.10.12 c0795bb49a94 8 days ago 581MB
jumpserver/koko v3.10.12 71c561407a07 8 days ago 1.15GB
jumpserver/kael v3.10.12 1d3c43cdcc1e 8 days ago 275MB
jumpserver/magnus v3.10.12 6730497940d4 8 days ago 154MB
jumpserver/core-ce v3.10.12 c92cbcbfd0dc 8 days ago 1.65GB
jumpserver/web v3.10.1 400cda4b11bd 6 months ago 1.52GB
jumpserver/core-ce v3.10.1 1e0803340274 6 months ago 1.55GB
jumpserver/lion v3.10.1 4f23f5b0dfe2 6 months ago 255MB
jumpserver/chen v3.10.1 f4d31e2bad6e 6 months ago 572MB
jumpserver/koko v3.10.1 4a40c420fc52 6 months ago 1.06GB
jumpserver/kael v3.10.1 452079bbb5d8 6 months ago 269MB
jumpserver/magnus v3.10.1 d5edaa402b2e 6 months ago 147MB
jumpserver/mariadb 10.6 aac2cf878de9 19 months ago 405MB
jumpserver/redis 6.2 48da0c367062 20 months ago 113MB
5.2 将TAG为旧版本号(V3.10.1)的镜像手动清理掉
docker rmf 400cda4b11bd 1e0803340274 4f23f5b0dfe2 f4d31e2bad6e 4a40c420fc52 452079bbb5d8 d5edaa402b2e
「喜欢这篇文章,您的关注和赞赏是给作者最好的鼓励」
关注作者
【版权声明】本文为墨天轮用户原创内容,转载时必须标注文章的来源(墨天轮),文章链接,文章作者等基本信息,否则作者和墨天轮有权追究责任。如果您发现墨天轮中有涉嫌抄袭或者侵权的内容,欢迎发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
