CVE-2022-21454:漏洞整改mysql5.7.37升级至5.7.38 tar包升级

问题描述:对数据库服务器进行漏扫,发现一些中高位漏洞需要整改,有些数据库需要升级到最新版

 

 

漏洞修改指导链接:https://www.oracle.com/security-alerts/cpuapr2022.html

漏洞编号:CVE-2022-21454

数据库版本:keepalived+MySQL5.7.37主从架构

操作系统:redhat7.5

官方建议:升级至MySQL5.7.37之后以及8.0.28之后,也就是现有的5.7.38和8.0.29。mysql5.7.37->mysql5.7.38 升级
CVE-2022-21454 MySQL Server Server: Group Replication Plugin MySQL Protocol No 6.5 Network Low Low None Un-
changed		 None None High 5.7.37 and prior, 8.0.28 and prior

 

MySQL5.7.38下载地址:https://downloads.mysql.com/archives/community/

 

 

 

升级方式为替换原安装目录的逻辑升级方式

1.确认原库环境,ip,版本,检查processlist是否有业务进程,现在备库上进行升级,停止集群和VIP,停止主从关系

 

mysql> select @@version;
+------------+
| @@version  |
+------------+
| 5.7.37-log |
+------------+
1 row in set (0.00 sec)

mysql> show processlist;
+--------+--------------+--------------------+-------+---------+------+----------+------------------+
| Id     | User         | Host               | db    | Command | Time | State    | Info             |
+--------+--------------+--------------------+-------+---------+------+----------+------------------+
| 342942 | i6000collect | 20.32.98.133:39186 | mysql | Sleep   |  186 |          | NULL             |
| 343056 | root         | localhost          | NULL  | Query   |    0 | starting | show processlist |
+--------+--------------+--------------------+-------+---------+------+----------+------------------+
2 rows in set (0.00 sec)

 

 

 

 

2.备份数据库数据,备份安装目录

备份数据库

[root@db01 backup]# /soft/mysql/bin/mysqlpump -uroot -p -S /home/data/db_gwyy/mysql.sock --set-gtid-purged=off --all-databases --single-transaction --default-parallelism=4 > /home/backup/0801_all_db.sql

备份安装目录

[root@db02 soft]# cp -r mysql mysql.0801.bak

 

3.解压安装包

[root@db01 soft]# tar xvf mysql-5.7.38-linux-glibc2.12-x86_64.tar 
mysql-test-5.7.38-linux-glibc2.12-x86_64.tar.gz
mysql-5.7.38-linux-glibc2.12-x86_64.tar.gz
[root@db01 soft]# tar -zxvf mysql-5.7.38-linux-glibc2.12-x86_64.tar.gz

 

4.关停集群和VIP,两个节点都操作

[root@db01 soft]# systemctl stop keepalived
[root@db02 soft]# systemctl stop keepalived

 

5.关停备库

mysql> stop slave;
Query OK, 0 rows affected (0.01 sec)

mysql> set global innodb_fast_shutdown = 0;
Query OK, 0 rows affected (0.00 sec)

mysql> select @@innodb_fast_shutdown;
+------------------------+
| @@innodb_fast_shutdown |
+------------------------+
|                      0 |
+------------------------+
1 row in set (0.00 sec)

关闭数据库

mysql> shutdown;
Query OK, 0 rows affected (0.00 sec)

 

6.替换安装目录

[root@db02 soft]# mv mysql /tmp/
[root@db02 soft]# mv mysql-5.7.38-linux-glibc2.12-x86_64 mysql
[root@db02 soft]# chown -R mysql.mysql mysql

检查最新mysql目录是否为安装的版本

 

[root@db02 soft]# /soft/mysql/bin/mysql -V
/soft/mysql/bin/mysql  Ver 14.14 Distrib 5.7.38, for linux-glibc2.12 (x86_64) using  EditLine wrapper

 

 

7.启动mysql

使用mysql用户启动数据库

 

[mysql@db02 ~]$ sh /home/data/db_gwyy/bin/startup.sh 
[mysql@db02 ~]$ 
[mysql@db02 ~]$ ps -ef | grep mysql
root     333452 333451  0 10:09 pts/0    00:00:00 /soft/mysql/bin/mysql -uroot -p -S/home/data/db_gwyy/mysql.sock
root     335921 333913  0 10:18 pts/1    00:00:00 su - mysql
mysql    335922 335921  0 10:18 pts/1    00:00:00 -bash
mysql    335994      1  1 10:18 pts/1    00:00:00 /bin/sh /soft/mysql/bin/mysqld_safe --defaults-file=/home/data/db_gwyy/conf/gwyy.cnf --datadir=/home/data/db_gwyy/data
mysql    337619 335994 34 10:18 pts/1    00:00:03 /soft/mysql/bin/mysqld --defaults-file=/home/data/db_gwyy/conf/gwyy.cnf --basedir=/soft/mysql --datadir=/home/data/db_gwyy/data --plugin-dir=/soft/mysql/lib/plugin --log-error=/home/data/db_gwyy/log/mysql.err --open-files-limit=65000 --pid-file=/home/data/db_gwyy/mysql.pid --socket=/home/data/db_gwyy/mysql.sock --port=13306
mysql    337659 335922  0 10:19 pts/1    00:00:00 ps -ef
mysql    337660 335922  0 10:19 pts/1    00:00:00 grep --color=auto mysql

 

 

 

8.mysql5.7.37->升级mysql5.7.38

报错

[mysql@db02 ~]$ /soft/mysql/bin/mysql_upgrade -S /home/data/db_gwyy/mysql.sock -uroot -p
Enter password: 
Checking if update is needed.
Checking server version.
Running queries to upgrade MySQL server.
mysql_upgrade: [ERROR] 3161: Storage engine MyISAM is disabled (Table creation is disallowed).

修改配置文件

#disabled_storage_engines        ="MyISAM,FEDERATED"

 

重启数据库使参数生效

[mysql@db02 ~]$ sh /home/data/db_gwyy/bin/shutdown.sh 
Enter password: 
[mysql@db02 ~]$ sh /home/data/db_gwyy/bin/startup.sh

 

重新升级数据字典

[mysql@db02 ~]$ /soft/mysql/bin/mysql_upgrade -S /home/data/db_gwyy/mysql.sock -uroot -p
Enter password: 
Checking if update is needed.
Checking server version.
Running queries to upgrade MySQL server.
Checking system database.
mysql.columns_priv                                 OK
mysql.db                                           OK
mysql.engine_cost                                  OK
mysql.event                                        OK
mysql.func                                         OK
mysql.general_log                                  OK
mysql.gtid_executed                                OK
mysql.help_category                                OK
mysql.help_keyword                                 OK
mysql.help_relation                                OK
mysql.help_topic                                   OK
mysql.innodb_index_stats                           OK
mysql.innodb_table_stats                           OK
mysql.ndb_binlog_index                             OK
mysql.plugin                                       OK
mysql.proc                                         OK
mysql.procs_priv                                   OK
mysql.proxies_priv                                 OK
mysql.server_cost                                  OK
mysql.servers                                      OK
mysql.slave_master_info                            OK
mysql.slave_relay_log_info                         OK
mysql.slave_worker_info                            OK
mysql.slow_log                                     OK
mysql.tables_priv                                  OK
mysql.time_zone                                    OK
mysql.time_zone_leap_second                        OK
mysql.time_zone_name                               OK
mysql.time_zone_transition                         OK
mysql.time_zone_transition_type                    OK
mysql.user                                         OK
The sys schema is already up to date (version 1.5.2).
Checking databases.
hzh01.t1                                           OK
hzh02.t2                                           OK
sys.sys_config                                     OK
Upgrade process completed successfully.
Checking if update is needed.

 

再次重启数据库,验证升级的有效性

[mysql@db02 ~]$ sh /home/data/db_gwyy/bin/shutdown.sh 
Enter password: 
[mysql@db02 ~]$ sh /home/data/db_gwyy/bin/startup.sh

 

9.验证数据库版本

mysql> status
--------------
/soft/mysql/bin/mysql  Ver 14.14 Distrib 5.7.38, for linux-glibc2.12 (x86_64) using  EditLine wrapper

Connection id:        3
Current database:    
Current user:        root@localhost
SSL:            Not in use
Current pager:        stdout
Using outfile:        ''
Using delimiter:    ;
Server version:        5.7.38-log MySQL Community Server (GPL)
Protocol version:    10
Connection:        Localhost via UNIX socket
Server characterset:    utf8
Db     characterset:    utf8
Client characterset:    utf8
Conn.  characterset:    utf8
UNIX socket:        /home/data/db_gwyy/mysql.sock
Uptime:            1 min 37 sec

Threads: 1  Questions: 6  Slow queries: 0  Opens: 108  Flush tables: 1  Open tables: 101  Queries per second avg: 0.061
--------------

备库启用相关参数

mysql> set global slave_net_timeout=8; 
Query OK, 0 rows affected (0.00 sec)

mysql> set global read_only=1; 
Query OK, 0 rows affected (0.00 sec)

mysql> set global super_read_only=1; 
Query OK, 0 rows affected (0.00 sec)

 

10.升级主库

参照备库,升级完验证相关参数

 

11.启动集群

[root@db01 soft]# systemctl start keepalived
[root@db02 ~]# systemctl status keepalived

 

12.验证数据库连接

验证集群及VIP,业务,数据库连接是否正常

 

posted @ 2022-08-01 15:46  我爱睡莲  阅读(2319)  评论(0编辑  收藏  举报