Vulnerability Discussion

Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware on the system. Oracle cryptographically signs all software packages, which includes updates, with a GPG key to verify that they are valid.

Check

Verify that OL 9 ensures cryptographic verification of vendor software packages by confirming that Oracle package-signing keys are installed on the system, and verify their fingerprints match vendor values.

Note: For OL 9 software packages, Oracle uses GPG keys labeled "release key 1" and "auxiliary key 1". The keys are defined in key file "/etc/pki/rpm-gpg/RPM-GPG-KEY-oracle" by default.

List Oracle GPG keys installed on the system:

$ sudo rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey | grep -i "oracle"

Oracle Linux (release key 1) <secalert_us@oracle.com> public key
Oracle Linux (backup key 1) <secalert_us@oracle.com> public key

If Oracle GPG keys "release key 1" and "backup key 1" are not installed, this is a finding.

List key fingerprints of installed Oracle GPG keys:

$ sudo gpg -q --keyid-format short --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle

If key file "/etc/pki/rpm-gpg/RPM-GPG-KEY-oracle" is missing, this is a finding.

pub rsa4096/8D8B756F 2022-01-19 [SC] [expires: 2042-01-14]
Key fingerprint = 3E6D 826D 3FBA B389 C2F3 8E34 BC4D 06A0 8D8B 756F
uid Oracle Linux (release key 1) <secalert_us@oracle.com>
sub rsa4096/2E708C25 2022-01-19 [E] [expires: 2041-06-01]
pub rsa4096/8B4EFBE6 2022-01-19 [SC] [expires: 2042-01-14]
Key fingerprint = 9822 3175 9C74 6706 5D0C E9B2 A7DD 0708 8B4E FBE6
uid Oracle Linux (backup key 1) <secalert_us@oracle.com>
sub rsa4096/DA900791 2022-01-19 [E] [expires: 2041-06-02]

Compare key fingerprints of installed Oracle GPG keys with fingerprints listed for OL 9 on Oracle verification webpage at https://linux.oracle.com/security/gpg/#gpg.

If key fingerprints do not match, this is a finding.

Fix

Install Oracle package-signing keys on the system and verify their fingerprints match vendor values.

To verify Oracle Linux Downloads, users need:
-A checksum file corresponding to the downloaded ISO.
-The public GPG key to verify the Oracle key used to sign the checksum file.

The checksum file contains a list of files that are part of a download package with the corresponding checksums as well as a GPG signature. The GPG signature enables anyone to verify that checksum file was published by Oracle. The steps below describe how to verify they checksum file itself and then verify the contents of the Oracle Linux download by checking against the checksum file.

Import the Oracle Linux GPG key corresponding to the Oracle Linux release:

$ curl https://yum.oracle.com/RPM-GPG-KEY-oracle-ol9 | gpg --import

Note: No "sudo" for curl command

Download the appropriate checksum file and place it in the same directory as the Oracle Linux ISO download:

$ curl https://linux.oracle.com/security/gpg/checksum/OracleLinux-R9-U3-Server-x86_64.checksum > OracleLinux-R9-U3-Server-x86_64.checksum

Download GPG Key:

$ curl https://yum.oracle.com/RPM-GPG-KEY-oracle-ol9 -o RPM-GPG-KEY-oracle
Note: No "sudo" for curl command

To verify the checksum file:

$ gpg --verify-files OracleLinux-R9-U3-Server-x86_64.checksum
gpg: Signature made Wed 15 Nov 2023 07:22:32 AM EST
gpg: using RSA key 3E6D826D3FBAB389C2F38E34BC4D06A08D8B756F
gpg: issuer "secalert_us@oracle.com"
gpg: Good signature from "Oracle Linux (release key 1) <secalert_us@oracle.com>" [unknown]
gpg: WARNING: The key's User ID is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3E6D 826D 3FBA B389 C2F3 8E34 BC4D 06A0 8D8B 756F

Verify the ISO download as follows:

$ grep OracleLinux-R9-U3-x86_64-boot.iso OracleLinux-R9-U3-Server-x86_64.checksum | sha256sum -c

OracleLinux-R9-U3-x86_64-boot.iso: OK