Episode 157

Show Notes

Overview

Ubuntu 22.04 LTS (Jammy Jellyfish) is officially released 🎉 and so this week we take a quick look at the new features and enhancements, with a particular focus on security, plus we cover security updates for the Linux kernel, Firefox, Django, Git, Gzip and more.

This week in Ubuntu Security Updates

58 unique CVEs addressed

[USN-5368-1] Linux kernel vulnerabilities [00:51]

• 23 CVEs addressed in Focal (20.04 LTS)
  • CVE-2022-27666
  • CVE-2022-0742
  • CVE-2022-0516
  • CVE-2022-0435
  • CVE-2022-0382
  • CVE-2022-0264
  • CVE-2021-45480
  • CVE-2021-45402
  • CVE-2021-45095
  • CVE-2021-44733
  • CVE-2021-43975
  • CVE-2021-4197
  • CVE-2021-4135
  • CVE-2021-39698
  • CVE-2021-39685
  • CVE-2021-28715
  • CVE-2021-28714
  • CVE-2021-28713
  • CVE-2021-28712
  • CVE-2021-28711
  • CVE-2022-0492
  • CVE-2022-1055
  • CVE-2022-23222
• 5.13 azure/oracle for 20.04 LTS
• BPF verifier could possibly allow pointer arithmetic in BPF operations - OOB read / write -> crash (DoS) or privesc
• cgroups v1 release_agent not properly restricted -> privesc
• UAF in network traffic control - DoS/crash

[USN-5377-1] Linux kernel (BlueField) vulnerabilities [01:52]

• 15 CVEs addressed in Focal (20.04 LTS)
  • CVE-2022-27666
  • CVE-2022-0435
  • CVE-2021-45480
  • CVE-2021-45469
  • CVE-2021-45095
  • CVE-2021-44733
  • CVE-2021-43976
  • CVE-2021-4135
  • CVE-2021-28715
  • CVE-2021-28714
  • CVE-2021-28713
  • CVE-2021-28712
  • CVE-2021-28711
  • CVE-2022-0492
  • CVE-2022-1055
• BPF verifier could possibly allow pointer arithmetic in BPF operations - OOB read / write -> crash (DoS) or privesc
• cgroups v1 release_agent not properly restricted -> privesc

[USN-5366-1] FriBidi vulnerabilities [02:07]

• 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
  • CVE-2022-25310
  • CVE-2022-25309
  • CVE-2022-25308
• Various memory corruption vulns in library for handling unicode bidirectional text

[USN-5369-1] oslo.utils vulnerability [02:21]

• 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
  • CVE-2022-0718
• Python utility functions for OpenStack
• Passwords which contained a double-quote would not be properly masked in debug logs in which case the part of the password following the double quote would be exposed

[USN-5370-1] Firefox vulnerabilities [02:50]

• 11 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
  • CVE-2022-28287
  • CVE-2022-28283
  • CVE-2022-28289
  • CVE-2022-28288
  • CVE-2022-28286
  • CVE-2022-28285
  • CVE-2022-28284
  • CVE-2022-28282
  • CVE-2022-28281
  • CVE-2022-24713
  • CVE-2022-1097
• 99.0
• Including an issue where just selecting text could be enough to cause a memory corruption in text selection cache and cause firefox to crash

[USN-5331-2] tcpdump vulnerabilities [03:34]

• 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2020-8037
  • CVE-2018-16301
• Episode 153 for xenial - now same updates for bionic + focal

[USN-5373-1, USN-5373-2] Django vulnerabilities [03:47]

• 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
  • CVE-2021-32052
  • CVE-2022-28347
  • CVE-2022-28346
• 2 different SQL injection attacks and 1 header in injection attack

[USN-5374-1] libarchive vulnerability [04:07]

• 1 CVEs addressed in Focal (20.04 LTS), Impish (21.10)
  • CVE-2022-26280
• OOB when handling crafted LZMA archives -> DoS

[USN-5372-1] Subversion vulnerabilities [04:24]

• 2 CVEs addressed in Focal (20.04 LTS), Impish (21.10)
  • CVE-2022-24070
  • CVE-2021-28544
• 2 vulns in svn server - both in handling of path based auth rules - 1 as logic error could then allow an attacker to bypass these and info about private paths
• other as a UAF -> crash/RCE

[USN-5376-1] Git vulnerability [05:13]

• 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
  • CVE-2022-24765
• Possible local RCE if another user creates a .git directory in the system root and specifies arbitrary commands in that git config

[USN-5371-1] nginx vulnerabilities [05:55]

• 3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
  • CVE-2021-3618
  • CVE-2020-36309
  • CVE-2020-11724
• HTTP req smuggling

[USN-5378-1, USN-5378-2, USN-5378-3, USN-5378-4] Gzip & XZ Utils vulnerability [06:05]

• 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
  • CVE-2022-1271
• xzgrep/zgrep with crafted filenames -> local file overwrite

[USN-5379-1] klibc vulnerabilities [06:27]

• 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2021-31873
  • CVE-2021-31872
  • CVE-2021-31871
  • CVE-2021-31870
• Various integer overflows and other bugs leading to memory corruption -> RCE in these low-level tools (designed for use in initramfs/embedded systems etc - cat/dd/dmesg/gzip/ipconfig/mv/readlink and more)

[USN-5380-1] Bash vulnerability [07:12]

• 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2019-18276
• Incorrect handling of setuid binaries - didn’t drop privileges correctly, so could allow a user who could cause bash to load their own crafted builtin module to then escalate privileges by then restoring the saved UID

Goings on in Ubuntu Security Community

Ubuntu 22.04 LTS Release! [08:02]

• By the time you read / hear this will likely already be out
• LTS - 5 years of standard support, plus 5 years of ESM support - 10 years of security support in total
• https://discourse.ubuntu.com/t/jammy-jellyfish-release-notes/24668
• Multiple kernels depending on which product you install
  • Desktop
    • 5.17 on OEM certified devices
    • Rolling HWE kernel for other hardware (currently 5.15)
  • Server
    • Non-rolling LTS kernel (5.15)
  • Cloud
    • Use optimised kernels in collaboration with partners (currently 5.15+ with additional backports / features)
  • As always these are just the defaults and you can change as you desired (ie could enable rolling HWE kernel on server if required)
• UDP disabled for NFS mounts
• Toolchain upgrades
  • GCC 11.2.0, Python 3.10 (with PIE🥧), LLVM 14, Golang 1.18.x, rustc 1.58
  • OpenJDK 18 provided (but not default and not in main, still default to openjdk-11 in main and supported)
• systemd-oomd enabled by default on Ubuntu desktop
• OpenSSL 3.0
  • Disables various legacy algorithms (SHA1/MD5 for certificate hashes)
• nftables default backend for firewall
  • Still ship legacy iptables tools which will use the xtables backend but not by default - sysadmins need to ensure all applications which configure firewall rules use the same backend (e.g. if using docker snap need to switch to legacy xtables backend until the snap is updated to detect and use the new nftables backend)
• ssh-rsa with sha-1 signatures disabled by default in openssh
• scp supports a new -s option to use sftp instead of scp which is safer (see USN-3885-1 etc)
• Firefox is a snap
  • Maintained and published directly by Mozilla - faster access to newer versions
  • Sandboxed for improved security hardening
• Lots of changes for server too (new BIND, Apache, PostgreSQL, Django, MySQL, Samba)
• Qemu 6.2.0 (massively improved RISC-V support)
• Libvirt + swtpm for TPM emulation
  • virt-manager will then enable a TPM OOTB for UEFI boot of VMs
• wireguard is now in main \o/
• First LTS release for Ubuntu Desktop on RPi

Ubuntu Security Podcast on break for 1 week

• Returning end of the first week of May 2022

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter