[美国VPS] 有收到甲骨文这个邮件的没，需要采取啥措施？

Oracle Cloud Infrastructure Identity – Rotate Credentials
         
Oracle Cloud Infrastructure Customer,
Oracle has identified security vulnerability CVE-2022-21503 that affected the Oracle Cloud Infrastructure (OCI) Identity service. This vulnerability has received a CVSS base score of 4.9. Oracle has completed patching activities in response to this issue. However, you must take additional actions before July 18, 2022. Failure to complete these steps can cause outages to your cloud services.

The following information describes in detail the vulnerability, the actions Oracle has taken, and what you as a customer must do.

CVE-2022-21503 affects some credentials in the OCI Identity service. As a result of this vulnerability, administrators and their designees with read-access to the OCI audit-records in your tenancy could have viewed some credentials in clear text. These administrators and their designees could have used such credentials to authenticate as the associated principal.

Oracle has already taken the following steps:
• Oracle has patched the OCI Identity service. Identity now redacts the values of credentials in data that it sends to the OCI Audit service. Identity now enforces expiration of affected credentials. Identity will also prompt users with expired console passwords to change those passwords on their next login to the console.
• Oracle has patched the OCI Audit service. Audit now masks this credential data when audit records are viewed.
• Oracle has deleted affected user-credentials for which the owning user lacks the capability to rotate that credential.
• Oracle has rotated identity provider (IdP) client credentials where Oracle Identity Cloud Service (IDCS) is the identity provider.

Required action

You must rotate all affected credentials of the following types:
• Console UI passwords
• SMTP credentials
• OAuth 2.0 client credentials
• Auth tokens
• Customer secret keys
• MFA TOTP device seeds
• IdP client credentials where the identity provider is other than Oracle IDCS

If you do not rotate these credentials before July 18, 2022, those credentials will expire. When those credentials expire, no one can use those credentials to authenticate, which can disrupt the operation of your services.

How do I find the credentials that must be rotated?

To find which credentials you must rotate, use Cloud Shell in the Oracle Cloud Admin Console to run the tool that Oracle has provided. You can rerun this tool periodically to track your progress in rotating affected credentials. The benefit of using Cloud Shell is that Cloud Shell comes packaged with the necessary Python interpreter and dependencies required to run the script. Cloud Shell also performs authentication with no extra configuration.
• Most administrators already have the necessary permissions to access Cloud Shell. They can click the Cloud Shell icon and type the command, "identity-audit-tool."
• If you have not already set up Cloud Shell, see the topic entitled "Using Cloud Shell" in the public documentation: https://docs.oracle.com/en-us/iaas/Content/API/Concepts/cloudshellgettingstarted.htm. Follow those instructions before running the command.

The identity-audit-tool command scans your OCI tenancy for credentials that you must rotate and gives the following results:
• If the tool encounters an error, the tool displays output that describes the error.
• If the tool finds no credential that you must rotate, it prints one line: "Found no affected credential."
• If the tool finds at least one credential that you must rotate, the tool prints a line of output for each credential that you must rotate. The tool also writes output to a comma-separated-value (CSV) file called "audit.csv." NOTE: The tool will overwrite any file named "audit.csv" in your home directory in CloudShell. The CSV file might be more convenient for analysis or for automated remediation. That CSV file contains a line of output for each credential that you must rotate. Each line of output includes values for the credential ID, credential type, credential status, user name, user OCID, and created date.

If the script indicates that an audit report was written, you can download the output file "audit.csv" from Cloud Shell with the following steps:
• From the Cloud Shell menu, click Download.
• When the dialog box labeled "Download File" appears, enter the filename, such as "audit.csv." Click the Download button.
• When the File Transfers dialog indicates that the download of audit.csv is complete, you can use that file locally.

How do I rotate credentials of each type?

When you have the list of credentials that you must rotate, follow these instructions to rotate a credential of each type:
• Console UI passwords
• SMTP credentials
• Auth tokens
• Multi-factor authentication (MFA) time-based one-time password (TOTP) device seeds
• Customer secret keys
• OAuth 2.0 client credentials
• IdP client credentials where Oracle IDCS isn’t the IdP

You can use the Oracle Cloud Console to rotate a credential of each type. You can also use an OCI API to rotate credentials of most types.

Console UI passwords

Login to the console and follow the prompt to change your UI password.

If you do not change your UI password before July 18, 2022, your UI password will expire. Once your UI password expires, you must ask an administrator to reset your UI password. This will allow you to login to the console and follow the prompt to change your UI password.

SMTP credentials

To rotate an SMTP Credential using the UI, refer to the Console directions in the documentation: https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcredentials.htm#Working3.
1. Create an SMTP credential: See the topic entitled "to create SMTP credentials" in the documentation: https://docs.oracle.com/en-us/iaas/Content/Email/Reference/gettingstarted.htm#smtpcreds.
Each user can have up to two SMTP Credentials at a time, so delete any unused SMTP credential that you have before creating a new one.
2. Validate the new SMTP credential: If you have a service that uses the old SMTP credential, update that service to use the new one. Confirm that your service works with the new SMTP credential before you delete the old one.
3. Delete the old SMTP credential: See the topic entitled "to delete SMTP credentials" in the documentation: https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcredentials.htm#To_delete_SMTP_credentials.

If you prefer to use the API to rotate each SMTP credential, use the following steps:
1. Create an SMTP credential: Call the CreateSmtpCredential API: https://docs.oracle.com/en-us/iaas/tools/python/2.55.0/api/identity/client/oci.identity.IdentityClient.html#oci.identity.IdentityClient.create_smtp_credential.
2. Validate the new SMTP credential: If you have a service that uses the old SMTP credential, update that service to use the new one. Confirm that your service works with the new SMTP Credential before you delete the old one.
3. Delete the old SMTP credential: Call the DeleteSmtpCredential API: https://docs.oracle.com/en-us/iaas/tools/python/2.55.0/api/identity/client/oci.identity.IdentityClient.html#oci.identity.IdentityClient.delete_smtp_credential.

Auth tokens

To rotate an Auth Token using the UI, refer to the Console directions in the documentation: https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcredentials.htm#Working.
1. Create an auth token: See the topic entitled "to create an auth token" in the documentation:https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcredentials.htm#create_swift_password.
Each user can have up to two auth tokens at a time, so delete any unused auth tokens that you have before creating a new one.
2. Validate the new auth token: If you have a service that uses the old auth token, update that service to use the new one. Confirm that your service works with the new auth token before you delete the old one.
3. Delete the old auth token: See the topic entitled "to delete an auth token" in the documentation: https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcredentials.htm#To_delete_an_auth_token.

If you prefer to use the API to rotate each Auth Token, use the following steps:
1. Create an auth token: Call the CreateAuthToken API: https://docs.oracle.com/en-us/iaas/tools/python/2.55.0/api/identity/client/oci.identity.IdentityClient.html#oci.identity.IdentityClient.create_auth_token.
2. Validate the new auth token: If you have a service that uses the old auth token, update that service to use the new one. Confirm that your service works with the new auth token before you delete the old one.
3. Delete the old auth token: Call the DeleteAuthToken API: https://docs.oracle.com/en-us/iaas/tools/python/2.55.0/api/identity/client/oci.identity.IdentityClient.html#oci.identity.IdentityClient.delete_auth_token.

To rotate the seeds for your MFA TOTP devices using the UI, refer to the Console directions in the documentation: https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/usingmfa.htm#Working_with_MFA.
1. Disable MFA for your user account: See the topic entitled "to disable MFA for your user account" in the documentation: https://docsoracle.com/en-us/iaas/Content/Identity/Tasks/usingmfa.htm#To_disable_MFA_for_your_user_account.
2. Enable MFA for your user account: See the topic entitled "to enable MFA for your user account" in the documentation: https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/usingmfa.htm#To_enable_MFA_for_your_user_account.

Delete inactive MFA TOTP devices. Disabling MFA and enabling MFA does not rotate the seed for an inactive MFA TOTP device. If the script reports an MFA TOTP Device with an inactive credential status, delete that MFA TOTP device using the API. See the topic entitled "Deleting Inactive MFA TOTP Devices in the documentation: https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/usingmfa.htm#Deleting_Inactive_Device.

Customer secret keys

To rotate a customer secret key using the UI, refer to the Console directions in the documentation: https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcredentials.htm#Working2.
1. Create a customer secret key: See the topic entitled "to create a customer secret key" in the documentation: https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcredentials.htm#To4.
Each user can have at most two customer secret keys at a time, so delete any unused customer secret keys that you have before you create a new one.
2. Validate the new customer secret key: If you have a service that uses the old customer secret key, update that service to use the new customer secret key. Confirm that your service works with the new customer secret key before you delete the old one.
3. Delete the old customer secret key: See the topic entitled "to create a customer secret key" in the documentation: https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcredentials.htm#To_delete_a_Customer_Secret_key.

If you prefer to use the API to rotate each customer secret key, use the following steps:
1. Create a customer secret key: Call the CreateCustomerSecretKey API: https://docs.oracle.com/en-us/iaas/tools/python/2.55.0/api/identity/client/oci.identity.IdentityClient.html#oci.identity.IdentityClient.create_customer_secret_key.
2. Validate the new customer secret key: If you have a service that uses the old customer secret key, update that service to use the new one. Confirm that your service works with the new customer secret key before you delete the old one.
3. Delete the old customer secret key: Call the DeleteCustomerSecretKey API: https://docs.oracle.com/en-us/iaas/tools/python/2.55.0/api/identity/client/oci.identity.IdentityClient.html#oci.identity.IdentityClient.delete_customer_secret_key.

OAuth 2.0 client credentials

To rotate a customer secret key using the UI, refer to the Console directions in the documentation: https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcredentials.htm#oauth
1. Create an OAuth 2.0 client credential: See the topic entitled "to create OAuth 2.0 client credentials" in the documentation: https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcredentials.htm#create-oauth20.
Each user can have up to 10 OAuth 2.0 client credentials at a time (or more if you requested an increase to this limit), so delete any unused OAuth 2.0 client credentials that you have before creating a new one.
2. Validate the new OAuth 2.0 client credential: If you have a service that uses the old OAuth 2.0 client credential, update that service to use the new OAuth 2.0 client credential. Confirm that your service works with the new customer OAuth 2.0 client credential before you delete the old one.
3. Delete the old OAuth 2.0 client credential: See the topic entitled "to delete an OAuth 2.0 Client Credential" in the documentation: https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcredentials.htm#delete-oauth20-client-credential.

If you prefer to use the API to rotate each OAuth 2.0 client credential, use the following steps:
1. Create an OAuth 2.0 client credential: Call the create_o_auth_client_credential API: https://docs.oracle.com/en-us/iaas/tools/python/2.55.0/api/identity/client/oci.identity.IdentityClient.html#oci.identity.IdentityClient.create_o_auth_client_credential.
2. Validate the new OAuth 2.0 client credential: If you have a service that uses the old OAuth 2.0 client credential, update that service to use the new one. Confirm that your service works with the new Customer OAuth 20 client credential before you delete the old one.
3. Delete the old OAuth 2.0 client credential: Call the delete_o_auth_client_credential API: https://docs.oracle.com/en-us/iaas/tools/python/2.55.0/api/identity/client/oci.identity.IdentityClient.html#oci.identity.IdentityClient.delete_o_auth_client_credential.

IdP client credentials where Oracle IDCS isn’t the IdP

For how to rotate your IdP client credentials, refer to your identity provider’s documentation                 Action Required