2021年12月10日,Oracle发布了Security
Alert CVE-2021-44228,以回应2.15版本之前一个影响Apache Log4j的新漏洞的披露。
根据mos建议,需要下载Patch
30166242
[root@dbsrv1 opt]# find ./ -name log4j*
./oracle.ahf/common/jlib/log4j-core-2.13.3.jar
./oracle.ahf/common/jlib/log4j-api-2.13.3.jar
打补丁后AHF中的log4j版本为2.17.0
[root@odbsrv1 opt]# find ./ -name log4j*
./oracle.ahf/common/jlib/log4j-core-2.17.0.jar
./oracle.ahf/common/jlib/log4j-api-2.17.0.jar
[root@dbsrv1 opt]#
1、 下载补丁Patch 30166242,校验检测后传入服务器,如果单位有安全要求,请先进行补丁介质的杀毒和登记,确保补丁不会对信息系统产生安全影响。
2、 补丁应用,该补丁应用其实是对AHF的升级。使用root用户进行升级操作
[root@dbsrv1 AHF]# ./ahf_setup
AHF Installer for Platform Linux Architecture x86_64
AHF Installation Log : /tmp/ahf_install_214000_14448_2021_12_30-13_27_08.log
Starting Autonomous Health Framework (AHF) Installation
AHF Version: 21.4.0 Build Date: 202112200745
AHF is already installed at /opt/oracle.ahf
Installed AHF Version: 21.2.4 Build Date: 202109222135
Do you want to upgrade AHF [Y]|N : Y
AHF will also be installed/upgraded on these Cluster Nodes :
1. dbsrv2
The AHF Location and AHF Data Directory must exist on the above nodes
AHF Location : /opt/oracle.ahf
AHF Data Directory : /u01/app/grid/oracle.ahf/data
Do you want to install/upgrade AHF on Cluster Nodes ? [Y]|N : Y
Upgrading /opt/oracle.ahf
Shutting down AHF Services
Stopped OSWatcher
Nothing to do !
Shutting down TFA
Removed symlink /etc/systemd/system/multi-user.target.wants/oracle-tfa.service.
Removed symlink /etc/systemd/system/graphical.target.wants/oracle-tfa.service.
Successfully shutdown TFA..
Starting AHF Services
Starting TFA..
Created symlink from /etc/systemd/system/multi-user.target.wants/oracle-tfa.service to /etc/systemd/system/oracle-tfa.service.
Created symlink from /etc/systemd/system/graphical.target.wants/oracle-tfa.service to /etc/systemd/system/oracle-tfa.service.
Waiting up to 100 seconds for TFA to be started..
. . . . .
Successfully started TFA Process..
. . . . .
TFA Started and listening for commands
No new directories were added to TFA
Directory /u01/app/grid/crsdata/dbsrv1/trace/chad was already added to TFA Directories.
INFO: Starting orachk scheduler in background. Details for the process can be found at /u01/app/grid/oracle.ahf/data/dbsrv1/diag/orachk/compliance_start_301221_132959.log
AHF upgrade completed on dbsrv1
节点1的AHF升级成功。继续进行节点2的升级
Upgrading AHF on Remote Nodes :
AHF will be installed on dbsrv2, Please wait.
AHF will prompt twice to install/upgrade per Remote Node. So total 2 prompts
Do you want to continue Y|[N] : Y
AHF will continue with Upgrading on remote nodes
Upgrading AHF on dbsrv2 :
[dbsrv2] Copying AHF Installer
输入节点2的root用户密码
root@dbsrv2's password:
[dbsrv2] Running AHF Installer
root@dbsrv2's password:
Do you want AHF to store your My Oracle Support Credentials for Automatic Upload ? Y|[N] :N
AHF is successfully upgraded to latest version
.--------------------------------------------------------------.
| Host | TFA Version | TFA Build ID | Upgrade Status |
+--------+-------------+----------------------+----------------+
| dbsrv1 | 21.4.0.0.0 | 21400020211220074549 | UPGRADED |
| dbsrv2 | 21.4.0.0.0 | 21400020211220074549 | UPGRADED |
'--------+-------------+----------------------+----------------'
Moving /tmp/ahf_install_214000_14448_2021_12_30-13_27_08.log to /u01/app/grid/oracle.ahf/data/dbsrv1/diag/ahf/
3、 补丁应用验证
检查tfa状态
[root@dbsrv1 data]# tfactl
tfactl> toolstatus
Running command tfactltoolstatus on dbsrv2 ...
.------------------------------------------------------------------.
| TOOLS STATUS - HOST : dbsrv2 |
+----------------------+--------------+--------------+-------------+
| Tool Type | Tool | Version | Status |
+----------------------+--------------+--------------+-------------+
| AHF Utilities | alertsummary | 21.4.0 | DEPLOYED |
| | calog | 21.4.0 | DEPLOYED |
| | dbglevel | 21.4.0 | DEPLOYED |
| | grep | 21.4.0 | DEPLOYED |
| | history | 21.4.0 | DEPLOYED |
| | ls | 21.4.0 | DEPLOYED |
| | managelogs | 21.4.0 | DEPLOYED |
| | menu | 21.4.0 | DEPLOYED |
| | orachk | 21.4.0 | DEPLOYED |
| | param | 21.4.0 | DEPLOYED |
| | ps | 21.4.0 | DEPLOYED |
| | pstack | 21.4.0 | DEPLOYED |
| | summary | 21.4.0 | DEPLOYED |
| | tail | 21.4.0 | DEPLOYED |
| | triage | 21.4.0 | DEPLOYED |
| | vi | 21.4.0 | DEPLOYED |
+----------------------+--------------+--------------+-------------+
| Development Tools | oratop | 14.1.2 | DEPLOYED |
+----------------------+--------------+--------------+-------------+
| Support Tools Bundle | darda | 2.10.0.R6036 | DEPLOYED |
| | oswbb | 8.3.2 | RUNNING |
| | prw | 12.1.13.11.4 | NOT RUNNING |
'----------------------+--------------+--------------+-------------'
Note :-
DEPLOYED : Installed and Available - To be configured or run interactively.
NOT RUNNING : Configured and Available - Currently turned off interactively.
RUNNING : Configured and Available.
.------------------------------------------------------------------.
| TOOLS STATUS - HOST : dbsrv1 |
+----------------------+--------------+--------------+-------------+
| Tool Type | Tool | Version | Status |
+----------------------+--------------+--------------+-------------+
| AHF Utilities | alertsummary | 21.4.0 | DEPLOYED |
| | calog | 21.4.0 | DEPLOYED |
| | dbglevel | 21.4.0 | DEPLOYED |
| | grep | 21.4.0 | DEPLOYED |
| | history | 21.4.0 | DEPLOYED |
| | ls | 21.4.0 | DEPLOYED |
| | managelogs | 21.4.0 | DEPLOYED |
| | menu | 21.4.0 | DEPLOYED |
| | orachk | 21.4.0 | DEPLOYED |
| | param | 21.4.0 | DEPLOYED |
| | ps | 21.4.0 | DEPLOYED |
| | pstack | 21.4.0 | DEPLOYED |
| | summary | 21.4.0 | DEPLOYED |
| | tail | 21.4.0 | DEPLOYED |
| | triage | 21.4.0 | DEPLOYED |
| | vi | 21.4.0 | DEPLOYED |
+----------------------+--------------+--------------+-------------+
| Development Tools | oratop | 14.1.2 | DEPLOYED |
+----------------------+--------------+--------------+-------------+
| Support Tools Bundle | darda | 2.10.0.R6036 | DEPLOYED |
| | oswbb | 8.3.2 | RUNNING |
| | prw | 12.1.13.11.4 | NOT RUNNING |
'----------------------+--------------+--------------+-------------'
Note :-
DEPLOYED : Installed and Available - To be configured or run interactively.
NOT RUNNING : Configured and Available - Currently turned off interactively.
RUNNING : Configured and Available.
tfactl>
检查oracle-tfa.service服务
[root@dbsrv1 data]# systemctl status oracle-tfa.service
● oracle-tfa.service - Oracle Trace File Analyzer
Loaded: loaded (/etc/systemd/system/oracle-tfa.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2021-12-30 13:29:41 CST; 6min ago
Main PID: 24071 (init.tfa)
CGroup: /system.slice/oracle-tfa.service
├─24071 /bin/sh /etc/init.d/init.tfa run >/dev/null 2>&1 </dev/null
├─24473 /opt/oracle.ahf/jre/bin/java -server -Xms256m -Xmx512m -Djava.awt.headless=true -Ddisable.checkForUpdate=true -XX:HeapDumpPath=/u01/app/grid/oracle....
├─24607 /opt/oracle.ahf/jre/bin/java -server -Xms64m -Xmx128m -XX:HeapDumpPath=/u01/app/grid/oracle.ahf/data/dbsrv1/diag/tfa -DtfaHome=/opt/oracle.ahf/tfa -...
└─51353 /bin/sleep 30
Dec 30 13:34:51 dbsrv1 su[45004]: (to oracle) root on none
Dec 30 13:34:51 dbsrv1 su[45014]: (to oracle) root on none
Dec 30 13:34:51 dbsrv1 su[45023]: (to oracle) root on none
Dec 30 13:34:52 dbsrv1 su[45242]: (to grid) root on none
Dec 30 13:34:52 dbsrv1 su[45251]: (to grid) root on none
Dec 30 13:34:52 dbsrv1 su[45259]: (to oracle) root on none
Dec 30 13:34:52 dbsrv1 su[45266]: (to oracle) root on none
Dec 30 13:34:53 dbsrv1 su[45275]: (to oracle) root on none
Dec 30 13:34:54 dbsrv1 su[45660]: (to grid) root on none
Dec 30 13:34:55 dbsrv1 su[45813]: (to oracle) root on none
-end-
