π ~4 min read β’ Source: ELSA advisory ELSA-2021-3148
Related CVEs: CVE-2021-26423 CVE-2021-34485 CVE-2021-34532
Table of contents
Symptom & Impact
On Oracle Linux 8 hosts running .NET, administrators report behaviour consistent with ELSA advisory ELSA-2021-3148: unexpected service restarts, denied transactions, audit warnings, or, for security-rated advisories, exposure to the vulnerabilities tracked under the related CVEs. Operators see failed systemctl status output, abnormal entries in journalctl -xe, and β where the package is part of the serving path β degraded availability. On Oracle Linux 8, impact ranges from a single service restart loop to wider production incidents depending on host role and the criticality of .NET.
Environment & Reproduction
Reproduction targets Oracle Linux 8 running either the Red Hat Compatible Kernel or the Unbreakable Enterprise Kernel. Confirm release with cat /etc/oracle-release and kernel with uname -r. Trigger the workflow that exposes .NET 5.0 security and bugfix update while collecting journalctl -b, dnf history, and rpm -qa output for correlation against ELSA advisory ELSA-2021-3148.
Root Cause Analysis
Root cause is documented in ELSA advisory ELSA-2021-3148. Upstream maintainers shipped fixes in the corresponding .NET update; running an outdated build leaves the host exposed and may trigger the failure modes described in the advisory. Correlate journalctl --since timestamps with dnf history and ausearch -m AVC entries to isolate the originating change. On Oracle Linux 8, modular streams, UEK kernel variants, and OEL-specific errata can each shift the package set used by the failure path.
Quick Triage
Quick triage: run systemctl status .NET, journalctl -u .NET -n 200, firewall-cmd --list-all, getenforce, dnf check, and rpm -Va. If SELinux is enforcing, capture ausearch -m AVC -ts recent to surface denials linked to .NET 5.0 security and bugfix update.
Step-by-Step Diagnosis
1) Confirm the symptom with systemctl --failed. 2) Inspect logs: journalctl -xe and journalctl -u .NET. 3) Validate firewall: firewall-cmd --list-all-zones. 4) Check SELinux denials: ausearch -m AVC,USER_AVC -ts today. 5) Verify package integrity: dnf check and rpm -V .NET. 6) Correlate findings with dnf history, /var/log/dnf.log and ELSA advisory ELSA-2021-3148 to pin the change that introduced .NET 5.0 security and bugfix update.
Solution – Primary Fix
Primary fix for .NET 5.0 security and bugfix update: apply the corrective dnf transaction described in ELSA advisory ELSA-2021-3148, reload the affected systemd unit, and reconcile firewalld and SELinux state. Typical commands: sudo dnf -y update .NET, sudo systemctl daemon-reload, sudo systemctl restart .NET, rpm -q .NET. Validate immediately with systemctl is-active .NET.
Need help applying this fix at scale? Our IT Solutions & Services team rolls Oracle Linux patches across estates with zero-downtime change windows. Get in touch for a free consultation.
Solution – Alternative Approaches
Alternatives include rolling back the offending transaction with sudo dnf history undo <id>, pinning the package via dnf versionlock, switching the firewall backend between nftables and iptables in /etc/firewalld/firewalld.conf, or temporarily setting SELinux permissive (setenforce 0) to confirm policy is the cause before authoring a custom module with audit2allow. For Oracle Linux specifically, Ksplice live patching may close the gap without reboot when the advisory has Ksplice coverage.
Verification & Acceptance Criteria
Acceptance: rpm -q .NET shows the expected fixed version, systemctl is-active .NET returns active, journalctl -u .NET --since "5 minutes ago" shows no errors, firewall-cmd --list-services includes the required services, getenforce reports the intended mode, and the original reproduction steps for .NET 5.0 security and bugfix update no longer trigger the failure across two consecutive runs.
Rollback Plan
Capture state with dnf history list and rpm -qa > /root/rpm-pre.txt before any change. To revert, run sudo dnf history undo <id>, restore /etc backups, and reload systemctl daemon-reload. For SELinux modules, remove with sudo semodule -r <module>. Reboot if the kernel or initramfs was changed and re-verify symptoms.
Prevention & Hardening
Prevent recurrence with dnf-automatic security updates, needs-restarting -r checks, immutable systemd drop-ins under /etc/systemd/system/<unit>.d/, version-locked firewalld zones, and audit rules in /etc/audit/rules.d/. Apply CIS Oracle Linux 8 hardening, subscribe to the Oracle Linux errata mailing list, and monitor file integrity with aide --check. Where supported, enable Oracle Ksplice so future advisories like this can be remediated live without reboot.
Related Errors & Cross-Refs
Related issues that commonly surface alongside .NET 5.0 security and bugfix update: dnf transaction lock contention, systemd unit ordering cycles, SELinux AVC bursts, firewalld zone drift, and kernel taint flags shown by cat /proc/sys/kernel/tainted. See sibling common-problem articles in this Oracle Linux 8 series for adjacent failure modes.
View all oracle-linux-8 tutorials on the Tutorials Hub β
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
Primary reference: ELSA advisory ELSA-2021-3148. Supporting docs: Oracle Linux 8 Administrators Guide, Red Hat Enterprise Linux documentation (upstream), man dnf, man systemctl, man firewall-cmd, man semanage, man journalctl, the Oracle Linux yum server changelog, and the Oracle Ksplice known-fixes feed. Review /usr/share/doc/ package documentation for the components implicated in .NET 5.0 security and bugfix update.
