最近はたしかFreetierユーザーのインスタンスから無慈悲にPublic IPを回収されたOracleさんですが、今回は認証サービスに脆弱性があって念のために影響を受けた認証情報は変更してねとのことです。いいニュースが全然ありませんね。
なお7月18日までに対応を行なわないとコンソールにログインができなくなるそうです。(テナント/アカウント停止はなさそうです。)個人の使用であればちょっとたいぎいなあ、ぐらいですが、多くのユーザーを抱えてるテナンシは大変そうです()。
Contents
対処
確認
まずはとりあえずOracleのテナントにログインします。
https://www.oracle.com/cloud/sign-in.html
次にCloudshellを開いて、自分がどの認証情報を変更/更新する必要があるかの確認をします。これはoracleがコマンド identity-audit-tool を用意してくれているので楽です。
xxxx@cloudshell:~ (ap-osaka-1)$ identity-audit-tool
Customer Secret Key '0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx6' of user 'oracleidentitycloudservice/zxxxx@xxxxx.ac.jp' needs to be rotated
Customer Secret Key 'exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf' of user 'oracleidentitycloudservice/xxxxx@xxxxx.ac.jp' needs to be rotated
Console UI password of user 'xxxxx@xxxxx.ac.jp' needs to be rotated
Number of credentials to be rotated: 3
Audit report was written to file 'audit.csv'人によって異なりますが、今回はCustomer Secret KeyとConsole UIのパスワードを変更するだけでオッケーでした。
Customer Secret Key
Customer Secret Keyは右上の「プロファイル」→ 「ユーザー設定」のページからリソース「顧客秘密キー」を選択して、秘密キーを削除して再発行すれば対処完了です。
なお削除したカスタマーキーは使用できなくなるので、アプリやソフトウェアでカスタマーキーを使用していた場合は合わせてそちらも再発行したキーに変更してください。
Console UI password
Console UIのパスワードは左上の三本線のメニューから「アイデンティティとセキュリティー」のアイデンティティ欄にある「ユーザー」のページを最初に選びます。
次に名前列にある変更したいユーザーの名前をクリックして「ユーザーの詳細ページ」に入り、「パスワードの作成/リセット」を行なえば対処が完了です。
このパスワードは一度発行すると再度表示されないので、必要な場合は控えておきましょう。
再確認
最後にCloudshellでもう一度 identity-audit-tool で変更すべき箇所が何も表示されていない事を確認して、Found no affected credential.であれば対処完了です。
xxxx@cloudshell:~ (ap-osaka-1) $ identity-audit-tool
Found no affected credentialメール
Oracle Cloud Infrastructure Customer,
Oracle has identified security vulnerability CVE-2022-21503 that affected the Oracle Cloud Infrastructure (OCI) Identity service. As a result of this vulnerability, administrators and their designees with read-access to the OCI audit-records in your tenancy could have viewed some credentials in clear text. For this reason, several of your users’ console UI passwords must be changed by July 18, 2022:
• When those users log in to the OCI console, the login process will prompt them to change their console passwords.
• If any of those users does not log in to the OCI console by July 18, 2022, that user’s console password will expire.
• Once a user’s console password has expired, that user cannot log in. The user can either reset that console password (if the user has a verified email-address) or ask an administrator to reset the user’s console password.
• Once an expired console password has been reset, the user can log in to the OCI console and the login process will prompt the user to change the console password.How do I find the console passwords that must be changed?
To find which credentials your users must change, use Cloud Shell in the Oracle Cloud Admin Console to run the tool that Oracle has provided. You can rerun this tool periodically to track your progress in rotating affected credentials. The benefit of using Cloud Shell is that Cloud Shell comes packaged with the necessary Python interpreter and dependencies required to run the script. Cloud Shell also performs authentication with no extra configuration.
• Most administrators already have the necessary permissions to access Cloud Shell. They can click the Cloud Shell icon and type the command, “identity-audit-tool.”
• If you have not already set up Cloud Shell, see the topic entitled “Using Cloud Shell” in the public documentation: https://docs.oracle.com/en-us/iaas/Content/API/Concepts/cloudshellgettingstarted.htm. Follow those instructions before running the command.The identity-audit-tool command scans your OCI tenancy for credentials that you must rotate and gives the following results:
• If the tool encounters an error, the tool displays output that describes the error.
• If the tool finds no credential that you must rotate, it prints one line: “Found no affected credential.”
• If the tool finds at least one credential that you must rotate, the tool prints a line of output for each credential that you must rotate. The tool also writes output to a comma-separated-value (CSV) file called “audit.csv.” NOTE: The tool will overwrite any file named “audit.csv” in your home directory in CloudShell. The CSV file might be more convenient for analysis or for automated remediation. That CSV file contains a line of output for each credential that you must rotate. Each line of output includes values for the credential ID, credential type, credential status, user name, user OCID, and created date.If the script indicates that an audit report was written, you can download the output file “audit.csv” from Cloud Shell with the following steps:
• From the Cloud Shell menu, click Download.
• When the dialog box labeled “Download File” appears, enter the filename, such as “audit.csv.” Click the Download button.
• When the File Transfers dialog indicates that the download of audit.csv is complete, you can use that file locally
