STEPS FOR UBUNTU IMAGES :
- Download the image in qcow2 format
- Run the following commands to mount the image and update the bash package
- sudo apt-get install qemu-utils
- sudo modprobe nbd
- sudo qemu-nbd –connect=/dev/nbd0 /tmp/Ubuntu-14-04-2014-6271.qcow2
- sudo mkdir /mnt/ubuntu
- sudo mount /dev/nbd0p1 /mnt/ubuntu/
- sudo mount -t proc proc /mnt/ubuntu/proc
- sudo mkdir /mnt/ubuntu/run/resolvconf
- sudo cp /etc/resolv.conf //mnt/ubuntu/run/resolvconf/
- sudo chroot /mnt/ubuntu/ apt-get update
- sudo chroot /mnt/ubuntu/ apt-get install bash
- sudo chroot /mnt/ubuntu/ dpkg -s bash | grep Version
- sudo umount /mnt/ubuntu/proc
- sudo umount /mnt/ubuntu
- sudo qemu-nbd –disconnect /dev/nbd0
- Upload the patched image to glance with well qualified name
Sudo glance image-create –name /tmp/Ubuntu-14-04-2014-6271.qcow2 –is-public True < /tmp/done/Ubuntu-14-04-2014-627-CVE.qcow2
steps for Oracle Linux
- Download the image
- Run following steps to mount the image and update the bash package
The Oracle Linux image file system is of Lvm type , so below steps need to be performed.
qemu-nbd –connect=/dev/nbd0 /tmp/Oracle_Linux_6.5
Scan your system for LVM volumes and identify in the output the volume group name that has your OL volume
- Sudo vgscan
The output will show vg_reimsdb as the vol group
Now Activate the volume:
- vgchange -ay vg_reimsdb
Find the logical volume that has your root filesystem :
- Sudo lvs
LV VG Attr LSize Pool Origin Data% Move Log Copy% Convert
lv_root vg_reimshttp -wi-a—- 17.57g
lv_swap vg_reimshttp -wi-a—- 1.94g
Mount the Root volume
- Sudo Mkdir /mnt/oel
- Sudo mount /dev/vg_reimsdb/lv_root /mnt/oel
- mount -t proc proc /mnt/oel/proc
- mkdir /mnt/oel/run/resolvconf
- export http_proxy=”http://XXX.XX.XX.XX:PORT”
- chroot /mnt/oel yum update bash
- umount /mnt/oel/proc
- umount /mnt/oel
- qemu-nbd –disconnect /dev/nbd0
- Upload the image
- Sudo glance image-create –name /tmp/Oracle_Linux_6.5 –is-public True < /tmp/done/Oracle_Linux_6.5-CVE.qcow2
You need to give the User credentials in the form of Environment variables in openrc file
Source openrc
OS_USERNAME
OS_PASSWORD
Command to check the Bash vulnerability
- chroot /mnt/oel env x='() { :;}; echo vulnerable; exit;’ bash -c ‘echo not vulnerable’ 2>/dev/null