📖 ~4 min read • Source: ELSA advisory ELSA-2020-5620-1
Related CVEs: CVE-2020-14350 CVE-2020-14349 CVE-2020-25694 CVE-2020-1720 CVE-2020-25696 CVE-2020-25695
Table of contents
Symptom & Impact
On Oracle Linux 8 hosts running ELSA-2020-5620-1:, administrators report behaviour consistent with ELSA advisory ELSA-2020-5620-1: unexpected service restarts, denied transactions, audit warnings, or, for security-rated advisories, exposure to the vulnerabilities tracked under the related CVEs. Operators see failed systemctl status output, abnormal entries in journalctl -xe, and — where the package is part of the serving path — degraded availability. On Oracle Linux 8, impact ranges from a single service restart loop to wider production incidents depending on host role and the criticality of ELSA-2020-5620-1:.
Environment & Reproduction
Reproduction targets Oracle Linux 8 running either the Red Hat Compatible Kernel or the Unbreakable Enterprise Kernel. Confirm release with cat /etc/oracle-release and kernel with uname -r. Trigger the workflow that exposes ELSA-2020-5620-1: postgresql:12 — vulnerability — patch and remediation guide while collecting journalctl -b, dnf history, and rpm -qa output for correlation against ELSA advisory ELSA-2020-5620-1.
Root Cause Analysis
Root cause is documented in ELSA advisory ELSA-2020-5620-1. Upstream maintainers shipped fixes in the corresponding ELSA-2020-5620-1: update; running an outdated build leaves the host exposed and may trigger the failure modes described in the advisory. Correlate journalctl --since timestamps with dnf history and ausearch -m AVC entries to isolate the originating change. On Oracle Linux 8, modular streams, UEK kernel variants, and OEL-specific errata can each shift the package set used by the failure path.
Quick Triage
Quick triage: run systemctl status ELSA-2020-5620-1:, journalctl -u ELSA-2020-5620-1: -n 200, firewall-cmd --list-all, getenforce, dnf check, and rpm -Va. If SELinux is enforcing, capture ausearch -m AVC -ts recent to surface denials linked to ELSA-2020-5620-1: postgresql:12 — vulnerability — patch and remediation guide.
Step-by-Step Diagnosis
1) Confirm the symptom with systemctl --failed. 2) Inspect logs: journalctl -xe and journalctl -u ELSA-2020-5620-1:. 3) Validate firewall: firewall-cmd --list-all-zones. 4) Check SELinux denials: ausearch -m AVC,USER_AVC -ts today. 5) Verify package integrity: dnf check and rpm -V ELSA-2020-5620-1:. 6) Correlate findings with dnf history, /var/log/dnf.log and ELSA advisory ELSA-2020-5620-1 to pin the change that introduced ELSA-2020-5620-1: postgresql:12 — vulnerability — patch and remediation guide.
Solution – Primary Fix
Primary fix for ELSA-2020-5620-1: postgresql:12 — vulnerability — patch and remediation guide: apply the corrective dnf transaction described in ELSA advisory ELSA-2020-5620-1, reload the affected systemd unit, and reconcile firewalld and SELinux state. Typical commands: sudo dnf -y update ELSA-2020-5620-1:, sudo systemctl daemon-reload, sudo systemctl restart ELSA-2020-5620-1:, rpm -q ELSA-2020-5620-1:. Validate immediately with systemctl is-active ELSA-2020-5620-1:.
Need help applying this fix at scale? Our IT Solutions & Services team rolls Oracle Linux patches across estates with zero-downtime change windows. Get in touch for a free consultation.
Solution – Alternative Approaches
Alternatives include rolling back the offending transaction with sudo dnf history undo <id>, pinning the package via dnf versionlock, switching the firewall backend between nftables and iptables in /etc/firewalld/firewalld.conf, or temporarily setting SELinux permissive (setenforce 0) to confirm policy is the cause before authoring a custom module with audit2allow. For Oracle Linux specifically, Ksplice live patching may close the gap without reboot when the advisory has Ksplice coverage.
Verification & Acceptance Criteria
Acceptance: rpm -q ELSA-2020-5620-1: shows the expected fixed version, systemctl is-active ELSA-2020-5620-1: returns active, journalctl -u ELSA-2020-5620-1: --since "5 minutes ago" shows no errors, firewall-cmd --list-services includes the required services, getenforce reports the intended mode, and the original reproduction steps for ELSA-2020-5620-1: postgresql:12 — vulnerability — patch and remediation guide no longer trigger the failure across two consecutive runs.
Rollback Plan
Capture state with dnf history list and rpm -qa > /root/rpm-pre.txt before any change. To revert, run sudo dnf history undo <id>, restore /etc backups, and reload systemctl daemon-reload. For SELinux modules, remove with sudo semodule -r <module>. Reboot if the kernel or initramfs was changed and re-verify symptoms.
Prevention & Hardening
Prevent recurrence with dnf-automatic security updates, needs-restarting -r checks, immutable systemd drop-ins under /etc/systemd/system/<unit>.d/, version-locked firewalld zones, and audit rules in /etc/audit/rules.d/. Apply CIS Oracle Linux 8 hardening, subscribe to the Oracle Linux errata mailing list, and monitor file integrity with aide --check. Where supported, enable Oracle Ksplice so future advisories like this can be remediated live without reboot.
Related Errors & Cross-Refs
Related issues that commonly surface alongside ELSA-2020-5620-1: postgresql:12 — vulnerability — patch and remediation guide: dnf transaction lock contention, systemd unit ordering cycles, SELinux AVC bursts, firewalld zone drift, and kernel taint flags shown by cat /proc/sys/kernel/tainted. See sibling common-problem articles in this Oracle Linux 8 series for adjacent failure modes.
View all oracle-linux-8 tutorials on the Tutorials Hub →
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
Primary reference: ELSA advisory ELSA-2020-5620-1. Supporting docs: Oracle Linux 8 Administrators Guide, Red Hat Enterprise Linux documentation (upstream), man dnf, man systemctl, man firewall-cmd, man semanage, man journalctl, the Oracle Linux yum server changelog, and the Oracle Ksplice known-fixes feed. Review /usr/share/doc/ package documentation for the components implicated in ELSA-2020-5620-1: postgresql:12 — vulnerability — patch and remediation guide.
