Episode 195
Posted on Friday, May 19, 2023
Alex and Camila discuss security update management strategies after a recent
outage at Datadog was attributed to a security update for systemd on Ubuntu,
plus we look at security vulnerabilities in the Linux kernel, OpenStack,
Synapse, OpenJDK and more.
Show Notes
Overview
Alex and Camila discuss security update management strategies after a recent outage at Datadog was attributed to a security update for systemd on Ubuntu, plus we look at security vulnerabilities in the Linux kernel, OpenStack, Synapse, OpenJDK and more.
This week in Ubuntu Security Updates
66 unique CVEs addressed
[USN-6069-1] Linux kernel (Raspberry Pi) vulnerability (01:01)
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 5.4 raspi in 20.04 / 18.04 HWE
- [USN-6058-1] Linux kernel vulnerability from Episode 194
- UAF in Traffic-Control Index (TCINDEX) filter from April this year - fix simply removes this classifier from the kernel
[USN-6070-1] Linux kernel vulnerabilities (01:37)
- 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- 5.15 raspi in 22.04, Azure FDE in 20.04
- TCINDEX UAF plus UAF in
io_uring
[USN-6071-1] Linux kernel (OEM) vulnerabilities (01:58)
- 12 CVEs addressed in Jammy (22.04 LTS)
- 5.17
- UAFs in TCINDEX,
io_uring, logic issue in OverlayFS ([USN-6057-1] Linux kernel (Intel IoTG) vulnerabilities from Episode 194), race-condition in handling of handling of copy-on-write read-only shared memory mappings - unpriv user could then get write on these read-only mappings -> privesc
[USN-6072-1] Linux kernel (OEM) vulnerabilities (02:31)
- 6 CVEs addressed in Jammy (22.04 LTS)
- 6.0
- UAFs in TCINDEX,
io_uring, logic issue in OverlayFS
[USN-6079-1] Linux kernel vulnerabilities (02:49)
- 25 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10)
- CVE-2023-1118
- CVE-2023-32269
- CVE-2023-26544
- CVE-2023-23455
- CVE-2023-23454
- CVE-2023-2162
- CVE-2023-21106
- CVE-2023-21102
- CVE-2023-1652
- CVE-2023-1513
- CVE-2023-1078
- CVE-2023-1075
- CVE-2023-1074
- CVE-2023-1073
- CVE-2023-0459
- CVE-2023-0458
- CVE-2023-0394
- CVE-2023-0210
- CVE-2022-48424
- CVE-2022-48423
- CVE-2022-4842
- CVE-2022-4129
- CVE-2022-3707
- CVE-2022-36280
- CVE-2022-27672
- 5.19 22.10 / 22.04 Azure
[USN-6080-1] Linux kernel vulnerabilities (02:55)
- 10 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- 5.15 22.04 / 20.04 HWE
[USN-6081-1] Linux kernel vulnerabilities (03:02)
- 5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- 4.15 18.04 GA / 16.04 AWS (Ubuntu Pro)
[USN-6073-1, USN-6073-2, USN-6073-3, USN-6073-4] Cinder, Glance Store, Nova, os-brick vulnerability (03:14)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Inconsistency between Cinder (block storage service of OpenStack) and Nova (compute / virtual server provisioning) could result in storage volumes being attached to the wrong compute instances - would happen when trying to detach a volume from an instance
- Lots of interacting components, all need a consistent view of the system etc
[USN-6073-5] Nova regression
- Affecting Focal (20.04 LTS)
- Above update meant that in some circumstances Nova would be unable to detach volumes from instances
[USN-6074-1] Firefox vulnerabilities (04:15)
- 11 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 113.0
[USN-6074-2] Firefox regressions (04:27)
- 11 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 113.0.1 from upstream
[USN-6075-1] Thunderbird vulnerabilities (04:36)
- 7 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- 102.11.0
[USN-6060-3] MySQL regression (05:02)
- Affecting Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- [USN-6060-1, USN-6060-2] MySQL vulnerabilities from Episode 194
- Latest upstream release 8.0.33 introduced a regression on 32-bit ARM (armhf) - would crash on startup - to fix, reverted an upstream commit which was introduced to help with performance of atomic operations
[USN-6076-1] Synapse vulnerabilities (05:39)
- 7 CVEs addressed in Bionic (18.04 LTS)
- Matrix homeserver
- Various issues - signature checking on APIs, failure to properly apply event visibility rules, DoS - exploited in the wild, insufficient randomness when generating random IDs made them guessable, ability for unauthorised users to hijack rooms, more predictable randomness which could allow remote attackers to impersonate users, event spoofing due to improper signature validation - some of these require to be the admin of a room or to have a malicious server etc - but since Matrix is federated, this is not so implausible
[USN-6078-1] libwebp vulnerability (06:38)
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Double free when handling crafted content
[USN-6077-1] OpenJDK vulnerabilities (06:45)
- 7 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Latest upstream point releases
- Most Ubuntu releases support more then 1 version of OpenJDK - this update is for OpenJDK versions 20, 17, 11 and 8 across the various Ubuntu releases
[USN-6082-1] EventSource vulnerability (07:02)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- EventSource client for NodeJS - info leak - could leak cookies and authorisation headers to third party applications - but should have been sanitising headers to avoid this as per same-origin-policy
Goings on in Ubuntu Security Community
Datadog outage and management of security updates (07:32)
- https://newsletter.pragmaticengineer.com/p/inside-the-datadog-outage
- Alex and Camila discuss a recent outage at Datadog on their Ubuntu systems that was triggered by a security update for systemd and the pros and cons of automatic security updates plus other approaches which can be taken to allow updates to be applied in a more controlled manner
- https://ubuntu.com/blog/3-ways-to-apply-security-patches-in-linux