Want to subscribe to topics you're interested in?
Become a Member

CentOS 7 grub2 security update bug prevents server reboots workaround

Discussion in 'Centmin Mod News' started by eva2000, Aug 1, 2020.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    44,780
    10,212
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,828
    Local Time:
    7:15 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    CentOS 7 & 8 grub2 security update fix for BootHole vulnerability has a bug that prevents server reboots. So a workaround fix requires downgrading yum packages if they have been updated. Centmin Mod LEMP stack user have detailed instructions at CentOS 7.x - CentOS 8.x - Redhat / CentOS 7 & 8 grub2 security vulnerability for BootHole (CVE-2020-10713) for CentOS 7 (CentOS 8 isn't supported in Centmin Mod yet so wouldn't apply) - you can either exclude or version lock the packages to prevent update until new fixed yum packages are released.
     
  2. eva2000

    eva2000 Administrator Staff Member

    44,780
    10,212
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,828
    Local Time:
    7:15 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    According to Red Hat Customer Portal, the bad update packages preventing CentOS 7 and 8 from rebooting are
    Code (Text):
    x86_64
    fwupdate-12-6.el7_8.x86_64.rpm
    fwupdate-debuginfo-12-6.el7_8.x86_64.rpm
    fwupdate-debuginfo-12-6.el7_8.x86_64.rpm
    fwupdate-devel-12-6.el7_8.x86_64.rpm
    fwupdate-efi-12-6.el7_8.x86_64.rpm
    fwupdate-libs-12-6.el7_8.x86_64.rpm
    grub2-2.02-0.86.el7_8.x86_64.rpm
    grub2-common-2.02-0.86.el7_8.noarch.rpm
    grub2-debuginfo-2.02-0.86.el7_8.x86_64.rpm
    grub2-debuginfo-2.02-0.86.el7_8.x86_64.rpm
    grub2-efi-aa64-modules-2.02-0.86.el7_8.noarch.rpm
    grub2-efi-ia32-2.02-0.86.el7_8.x86_64.rpm
    grub2-efi-ia32-cdboot-2.02-0.86.el7_8.x86_64.rpm
    grub2-efi-ia32-modules-2.02-0.86.el7_8.noarch.rpm
    grub2-efi-x64-2.02-0.86.el7_8.x86_64.rpm
    grub2-efi-x64-cdboot-2.02-0.86.el7_8.x86_64.rpm
    grub2-efi-x64-modules-2.02-0.86.el7_8.noarch.rpm
    grub2-pc-2.02-0.86.el7_8.x86_64.rpm
    grub2-pc-modules-2.02-0.86.el7_8.noarch.rpm
    grub2-ppc-modules-2.02-0.86.el7_8.noarch.rpm
    grub2-ppc64-modules-2.02-0.86.el7_8.noarch.rpm
    grub2-ppc64le-modules-2.02-0.86.el7_8.noarch.rpm
    grub2-tools-2.02-0.86.el7_8.x86_64.rpm
    grub2-tools-extra-2.02-0.86.el7_8.x86_64.rpm
    grub2-tools-minimal-2.02-0.86.el7_8.x86_64.rpm
    mokutil-15-7.el7_8.x86_64.rpm
    mokutil-debuginfo-15-7.el7_8.x86_64.rpm
    shim-ia32-15-7.el7_8.x86_64.rpm
    shim-unsigned-ia32-15-7.el7_9.x86_64.rpm
    shim-unsigned-x64-15-7.el7_9.x86_64.rpm
    shim-x64-15-7.el7_8.x86_64.rpm
    

    On my CentOS 7 system I have yet to run yum update so grub2 packages are still previous 2.0.2-0.81.el7 versions and not the updated bad packages grub2 2.0.2-0.86.el7
    Code (Text):
    yum -q list shim\* grub2\* mokutil | tr -s ' ' | column -t
    Installed                      Packages
    grub2.x86_64                   1:2.02-0.81.el7.centos  @base
    grub2-common.noarch            1:2.02-0.81.el7.centos  @base
    grub2-efi-x64.x86_64           1:2.02-0.81.el7.centos  @base
    grub2-pc.x86_64                1:2.02-0.81.el7.centos  @base
    grub2-pc-modules.noarch        1:2.02-0.81.el7.centos  @base
    grub2-tools.x86_64             1:2.02-0.81.el7.centos  @base
    grub2-tools-extra.x86_64       1:2.02-0.81.el7.centos  @base
    grub2-tools-minimal.x86_64     1:2.02-0.81.el7.centos  @base
    Available                      Packages
    grub2-efi-aa64-modules.noarch  1:2.02-0.81.el7.centos  base
    grub2-efi-ia32.x86_64          1:2.02-0.81.el7.centos  base
    grub2-efi-ia32-cdboot.x86_64   1:2.02-0.81.el7.centos  base
    grub2-efi-ia32-modules.noarch  1:2.02-0.81.el7.centos  base
    grub2-efi-x64-cdboot.x86_64    1:2.02-0.81.el7.centos  base
    grub2-efi-x64-modules.noarch   1:2.02-0.81.el7.centos  base
    grub2-i386-modules.noarch      1:2.02-0.81.el7.centos  base
    grub2-ppc-modules.noarch       1:2.02-0.81.el7.centos  base
    grub2-ppc64-modules.noarch     1:2.02-0.81.el7.centos  base
    grub2-ppc64le-modules.noarch   1:2.02-0.81.el7.centos  base
    mokutil.x86_64                 15-2.el7.centos         base
    shim-ia32.x86_64               15-2.el7.centos         base
    shim-unsigned-ia32.x86_64      15-2.el7.centos         base
    shim-unsigned-x64.x86_64       15-2.el7.centos         base
    shim-x64.x86_64                15-2.el7.centos         base
    

    If you see bad 2.0.2-.086.el7 grub2 packages installed from above command, you need to downgrade to previous version first
    Code (Text):
    yum downgrade shim\* grub2\* mokutil

    List available updates listed include the updated bad packages grub2 2.0.2-0.86.el7
    Code (Text):
    yum -q list updates shim\* grub2\* mokutil | tr -s ' ' | column -t
    Updated                     Packages
    grub2.x86_64                1:2.02-0.86.el7.centos  updates
    grub2-common.noarch         1:2.02-0.86.el7.centos  updates
    grub2-efi-x64.x86_64        1:2.02-0.86.el7.centos  updates
    grub2-pc.x86_64             1:2.02-0.86.el7.centos  updates
    grub2-pc-modules.noarch     1:2.02-0.86.el7.centos  updates
    grub2-tools.x86_64          1:2.02-0.86.el7.centos  updates
    grub2-tools-extra.x86_64    1:2.02-0.86.el7.centos  updates
    grub2-tools-minimal.x86_64  1:2.02-0.86.el7.centos  updates
    

    so for now going to lock in my working 2.0.2-0.81.el7 packages via yum versionlock plugin which Centmin Mod installed rather than do yum.conf excludes - just easier to manage this way for now
    Code (Text):
    yum versionlock shim\* grub2\* mokutil

    output
    Code (Text):
    yum versionlock shim\* grub2\* mokutil
    Loaded plugins: fastestmirror, priorities, versionlock
    Adding versionlock on: 1:grub2-tools-minimal-2.02-0.81.el7.centos
    Adding versionlock on: 1:grub2-tools-extra-2.02-0.81.el7.centos
    Adding versionlock on: 1:grub2-efi-x64-2.02-0.81.el7.centos
    Adding versionlock on: 1:grub2-common-2.02-0.81.el7.centos
    Adding versionlock on: 1:grub2-2.02-0.81.el7.centos
    Adding versionlock on: 1:grub2-pc-2.02-0.81.el7.centos
    Adding versionlock on: 1:grub2-tools-2.02-0.81.el7.centos
    Adding versionlock on: 1:grub2-pc-modules-2.02-0.81.el7.centos
    versionlock added: 8
    

    once locked yum update won't see available updates for locked packages
    Code (Text):
    yum -q list updates shim\* grub2\* mokutil | tr -s ' ' | column -t
    Error: No matching Packages to list
    

    Later when Redhat/CentOS release a fixed grub2 2.0.2-0.87+ or higher version, you can remove the yum versionlock via command below which will allow yum updates to pick up the updated grub2 packages
    Code (Text):
    yum versionlock delete shim\* grub2\* mokutil                         
    Loaded plugins: fastestmirror, priorities, versionlock
    Deleting versionlock for: 1:grub2-tools-minimal-2.02-0.81.el7.centos.*
    Deleting versionlock for: 1:grub2-tools-extra-2.02-0.81.el7.centos.*
    Deleting versionlock for: 1:grub2-efi-x64-2.02-0.81.el7.centos.*
    Deleting versionlock for: 1:grub2-common-2.02-0.81.el7.centos.*
    Deleting versionlock for: 1:grub2-2.02-0.81.el7.centos.*
    Deleting versionlock for: 1:grub2-pc-2.02-0.81.el7.centos.*
    Deleting versionlock for: 1:grub2-tools-2.02-0.81.el7.centos.*
    Deleting versionlock for: 1:grub2-pc-modules-2.02-0.81.el7.centos.*
    versionlock deleted: 8
    
     
Thread Status:
Not open for further replies.