| Oracle Cloud Infrastructure Identity – Rotate Credentials
Oracle Cloud Infrastructure Customer,
Oracle has identified security vulnerability CVE-2022-21503 that affected the Oracle Cloud Infrastructure (OCI) Identity service. As a result of this vulnerability, administrators and their designees with read-access to the OCI audit-records in your tenancy could have viewed some credentials in clear text. For this reason, several of your users’ console UI passwords must be changed by July 18, 2022:
• When those users log in to the OCI console, the login process will prompt them to change their console passwords.
• If any of those users does not log in to the OCI console by July 18, 2022, that user’s console password will expire.
• Once a user’s console password has expired, that user cannot log in. The user can either reset that console password (if the user has a verified email-address) or ask an administrator to reset the user’s console password.
• Once an expired console password has been reset, the user can log in to the OCI console and the login process will prompt the user to change the console password.
How do I find the console passwords that must be changed?
To find which credentials your users must change, use Cloud Shell in the Oracle Cloud Admin Console to run the tool that Oracle has provided. You can rerun this tool periodically to track your progress in rotating affected credentials. The benefit of using Cloud Shell is that Cloud Shell comes packaged with the necessary Python interpreter and dependencies required to run the script. Cloud Shell also performs authentication with no extra configuration.
• Most administrators already have the necessary permissions to access Cloud Shell. They can click the Cloud Shell icon and type the command, “identity-audit-tool.”
• If you have not already set up Cloud Shell, see the topic entitled “Using Cloud Shell” in the public documentation: https://docs.oracle.com/en-us/iaas/Content/API/Concepts/cloudshellgettingstarted.htm. Follow those instructions before running the command.
The identity-audit-tool command scans your OCI tenancy for credentials that you must rotate and gives the following results:
• If the tool encounters an error, the tool displays output that describes the error.
• If the tool finds no credential that you must rotate, it prints one line: “Found no affected credential.”
• If the tool finds at least one credential that you must rotate, the tool prints a line of output for each credential that you must rotate. The tool also writes output to a comma-separated-value (CSV) file called “audit.csv.” NOTE: The tool will overwrite any file named “audit.csv” in your home directory in CloudShell. The CSV file might be more convenient for analysis or for automated remediation. That CSV file contains a line of output for each credential that you must rotate. Each line of output includes values for the credential ID, credential type, credential status, user name, user OCID, and created date.
If the script indicates that an audit report was written, you can download the output file “audit.csv” from Cloud Shell with the following steps:
• From the Cloud Shell menu, click Download.
• When the dialog box labeled “Download File” appears, enter the filename, such as “audit.csv.” Click the Download button.
• When the File Transfers dialog indicates that the download of audit.csv is complete, you can use that file locally |
