Episode 145

Show Notes

Overview

The Ubuntu Security Podcast is back for 2022 and we’re starting off the year with a bang💥! This week we bring you a special interview with Kees Cook of Google and the Linux Kernel Self Protection Project discussing Linux kernel hardening upstream developments. Plus we look at security updates for Mumble, Apache Log4j2, OpenJDK and more.

This week in Ubuntu Security Updates

31 unique CVEs addressed

[USN-5195-1] Mumble vulnerability [01:02]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- CVE-2021-27229
Low-latency VoIP client - client / server model
Client picks a server to connect to from public server list
Malicious actor could register a server with a web URL that uses some other protocol - e.g. smb to then refer to a .desktop file
When user chose the option to ‘Open Webpage’ for that server, would automatically fetch and execute via underlying Qt framework libraries QDesktopServices::openUrl function
Fixed to check URI scheme and only open if is http/https
Wonder if this kind of vuln may be seen in other applications?

[USN-5192-2] Apache Log4j 2 vulnerability [02:13]

1 CVEs addressed in Xenial ESM (16.04 ESM)
- CVE-2021-44228
Log4j2 update for 16.04 ESM - see Episode 142

[USN-5203-1] Apache Log4j 2 vulnerability

1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- CVE-2021-45105
More Log4j2 vulns - possible to crash applications using log4j2 by specifying a crafted string that would get logged which would then cause infinite recursion when doing lookup evaluation
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Log4Shell

[USN-5202-1] OpenJDK vulnerabilities [03:13]

14 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
Mix of issues resolved with this latest point release update for openjdk-8 and openjdk-11
Info leak via FTP client impl when connecting to malicious FTP server
Mishandling of JARs with multiple manifests -> signature verification bypass
Sandbox escape via crafted Java class
Use of weak crypto ciphers by default -> info leak
DoS via malicious RTF, BMP or class files
and more…

[USN-5199-1, USN-5200-1, USN-5201-1] Python vulnerabilities [04:26]

1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04) for Python 3.8/3.9
- CVE-2021-3737
2 CVEs addressed in Bionic (18.04 LTS) for Python 3.6
- CVE-2021-3737
- CVE-2021-3733
3 CVEs addressed in Bionic (18.04 LTS) for Python 3.7/3.8
3 different DoS via urllib http client
- infinite loop when handling 100 Continue responses - malicious HTTP server could cause a DoS against clients - affects all
- ReDoS due to quadratic complexity regex in basic auth handling - only affects Python 3.6->3.8 in Ubuntu 18.04
- Similar but different ReDos in basic auth handling - only affects Python 3.7/3.8 in Ubuntu 18.04

[USN-5198-1] HTMLDOC vulnerability [05:37]

1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
- CVE-2021-23180
Used to covert HTML/Markdown files to generate EPUB/HTML/PS/PDF with ToC etc
Through fuzzing a NULL ptr deref was found if given crafted input HTML file -> crash -> DoS

[USN-5186-2] Firefox regressions [06:06]

10 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
95.0.1
- WebRender crash on some X11 systems
- Failure to connect to microsoft.com domains

Goings on in Ubuntu Security Community

Seth and John talk Linux Kernel Security with Kees Cook [06:53]

Seth Arnold and John Johansen from the Ubuntu Security team chat with Kees Cook from Google (KSPP) about Linux kernel hardening and self-protection, including KASLR and FGKASLR, delving into the finer points of linker scripts, kernel address pointer info leaks through debug logs, detecting possible integer overflows in C by relying on undefined behaviour of signed integer wraparound, hardware support for detecting memory corruption and more.