使用Ansible和apt,如何更新bash以获取可远程利用的安全漏洞CVE-2014-6271?

时间:2014-09-24 19:01:40

标签: ubuntu patch ansible apt shellshock-bash-bug

鉴于bash's remote code execution vulnerability announced on Sept 24 2014,如何使用Ansible更新基于apt的系统?

1 个答案:

答案 0 :(得分:4)

这是我在相当同质的环境中的首选解决方案。这样做的好处是,与其他人正在使用的version=latest模式不同,更新不会在将来花费大量时间。

- name: update apt cache if not done today
  apt: update_cache=yes cache_valid_time=86400

# http://seclists.org/oss-sec/2014/q3/650
- name: ensure secure ansible, ubuntu 1204 edition
  apt: pkg=bash=4.2-2ubuntu2.5 state=present
  when: ansible_distribution=='Ubuntu' and ansible_distribution_version=='12.04'

- name: ensure secure ansible, ubuntu 1404 edition
  apt: pkg=bash=4.3-7ubuntu1.3 state=present
  when: ansible_distribution=='Ubuntu' and ansible_distribution_version=='14.04'

# based on the following gist and comments below. there have been several exploits, this covers them well.
# https://gist.github.com/kacy/2b9408af04c71fab686e
- name: ensure bash is not vulnerable to 201409 problem
  shell: "foo='() { echo not patched; }' bash -c foo"
  register: command_result
  ignore_errors: yes
  failed_when: "'command not found' not in command_result.stderr"

说明:如果每天多次更新,则更新apt-cache非常昂贵。缓存时间可以调整。代码实际测试以确保漏洞是固定的 - 测试是好的。这将突出显示编码的发行版/版本未涵盖的任何主机。

SO用户@jarv posted a great solution也是。而不是总是更新apt,只有在问题没有得到解决的情况下才会这样做。这是最快的解决方案(至少在这个答案中)。 jarv也有added a distribution test in the linked repo,对异构环境很有用。

- name: Check if we are vulnerable
  shell: executable=/bin/bash env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
  register: test_vuln

- name: Apply bash security update if we are vulnerable
  apt: name=bash state=latest update_cache=true
  when: "'vulnerable' in test_vuln.stdout"

- name: Check again and fail if we are still vulnerable
  shell: executable=/bin/bash env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
  when: "'vulnerable' in test_vuln.stdout"
  register: test_vuln
  failed_when: "'vulnerable' in test_vuln.stdout"

还有其他方法。 Ansible的创建者Michael DeHaan和官方@ansible帐户发布了一些解决方案:

Here's a one-liner

ansible all -m apt -a 'update_cache=yes name=bash state=latest'

Here's a update-and-check solution

- name: update apt
  command: apt-get update

- name: update bash
  command: apt-get --only-upgrade install bash

- name: check bash fix
  command: env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  register: command_result
  failed_when: "'error' not in command_result.stderr"
相关问题
最新问题