Common scenarios when using pro fix to solve a CVE/USN#

The Ubuntu Pro Client (pro) can be used to inspect and resolve Common Vulnerabilities and Exposures (CVEs) and Ubuntu Security Notices (USNs) on your machine.

Every CVE/USN is fixed by trying to upgrade all of the affected packages described by the CVE or USN. Sometimes, the package fixes can only be applied if an Ubuntu Pro service is already enabled on your machine.

In this article we will introduce the pro fix command, and then go into more details about the different scenarios you may encounter when using pro fix to resolve CVEs/USNs.

Note

If you want a simpler guide to get started with pro fix, start with our security features tutorial. You can use the same VM-based environment created in that tutorial to recreate the output shown below yourself. If you have already completed the tutorial, you may want to skip this section.

Use pro fix#

First, let’s see what happens to your system when pro fix runs. We will choose to fix a CVE that does not affect the system – for example if you do not have MariaDB installed and want to fix CVE-2020-15180.

Let’s first confirm that it doesn’t affect the system by running this command:

$ pro fix CVE-2020-15180

You should see an output like this:

CVE-2020-15180: MariaDB vulnerabilities
 - https://ubuntu.com/security/CVE-2020-15180

No affected source packages are installed.

✔ CVE-2020-15180 does not affect your system.

Every pro fix output has a similar output structure. It:

  • describes the CVE/USN;

  • displays the affected packages;

  • fixes the affected packages; and

  • at the end, shows if the CVE/USN is fully fixed in the machine.

This is best demonstrated in a pro fix call that does fix a package.

Therefore let us install an older package on the VM that we know is associated with CVE-2020-25686. You can install the package by running these commands:

$ sudo apt update
$ sudo apt install dnsmasq=2.75-1

Now, let’s run pro fix on the CVE:

$ sudo pro fix CVE-2020-25686

You will then see the following output:

CVE-2020-25686: Dnsmasq vulnerabilities
 - https://ubuntu.com/security/CVE-2020-25686

1 affected package is installed: dnsmasq
(1/1) dnsmasq:
A fix is available in Ubuntu standard updates.
{ apt update && apt install --only-upgrade -y dnsmasq }

✔ CVE-2020-25686 is resolved.

Note

We need to run the command with sudo because it will be installing a package on the system.

Whenever pro fix has a package to upgrade, it follows a consistent structure and displays the following, in this order:

  1. The affected package

  2. The availability of a fix

  3. The location of the fix, if one is available

  4. The command that will fix the issue

Also, at the end of the output you can see confirmation that the CVE was fixed by the command. Just to confirm that the fix was successfully applied, let’s run the pro fix command again, and we should now see the following:

CVE-2020-25686: Dnsmasq vulnerabilities
 - https://ubuntu.com/security/CVE-2020-25686

1 affected package is installed: dnsmasq
(1/1) dnsmasq:
A fix is available in Ubuntu standard updates.
The update is already installed.

✔ CVE-2020-25686 is resolved.

CVE/USN without a released fix#

Some CVEs/USNs do not have a fix released yet. When that happens, pro fix will let you know! This is example output created in the past, for which there might be fixes later on. To create this scenario we installed a known affected package with no fix (at the time) and then checked for an available fix:

$ sudo apt-get install -y expat=2.1.0-7 swish-e matanza ghostscript

Now, we can confirm that there is no fix by running the following command:

$ pro fix CVE-2017-9233

You will see the following output:

CVE-2017-9233: Coin3D vulnerability
 - https://ubuntu.com/security/CVE-2017-9233

3 affected source packages are installed: expat, matanza, swish-e
(1/3, 2/3) matanza, swish-e:
Ubuntu security engineers are investigating this issue.
(3/3) expat:
A fix is available in Ubuntu standard updates.
{ apt update && apt install --only-upgrade -y expat }

2 packages are still affected: matanza, swish-e
✘ CVE-2017-9233 is not resolved.

As we can see, we are informed by pro fix that some packages do not have a fix available. In the last line, we can also see that the CVE is not resolved.

CVE/USN that require an Ubuntu Pro subscription#

Some package fixes can only be installed when the machine is attached to an Ubuntu Pro subscription. When that happens, pro fix will tell you that. To see an example of this scenario, you can run the following fix command:

$ sudo pro fix USN-5079-2

The command will prompt you for a response, like this:

USN-5079-2: curl vulnerabilities
Associated CVEs:
 - https://ubuntu.com/security/CVE-2021-22946
 - https://ubuntu.com/security/CVE-2021-22947

Fixing requested USN-5079-2
1 affected package is installed: curl
(1/1) curl:
A fix is available in Ubuntu Pro: ESM Infra.
The update is not installed because this system is not attached to a
subscription.

Choose: [S]ubscribe at ubuntu.com [A]ttach existing token [C]ancel
>

We can see that the prompt is asking for an Ubuntu Pro subscription token. Any user with a Ubuntu One account is entitled to a free personal token to use with Ubuntu Pro.

If you choose the Subscribe option on the prompt, the command will ask you to go to the Ubuntu Pro portal. In the portal, you can get a free subscription token by logging in with your “Single Sign On” (SSO) credentials; the same credentials you use to log into https://login.ubuntu.com.

After getting your Ubuntu Pro token, you can hit Enter on the prompt and it will ask you to provide the token you just obtained. After entering the token you should now see the following output:

USN-5079-2: curl vulnerabilities
Associated CVEs:
 - https://ubuntu.com/security/CVE-2021-22946
 - https://ubuntu.com/security/CVE-2021-22947

1 affected package is installed: curl
(1/1) curl:
A fix is available in Ubuntu Pro: ESM Infra.
The update is not installed because this system is not attached to a
subscription.

Choose: [S]ubscribe at ubuntu.com [A]ttach existing token [C]ancel
>A
Enter your token (from https://ubuntu.com/pro) to attach this system:
> TOKEN
{ pro attach TOKEN }
Updating Ubuntu Pro: ESM Apps package lists
Ubuntu Pro: ESM Apps enabled
Enabling default service esm-infra
Updating Ubuntu Pro: ESM Infra package lists
Ubuntu Pro: ESM Infra enabled
Enabling default service livepatch
Installing snapd snap
Installing canonical-livepatch snap
Canonical Livepatch enabled
{ apt update && apt install --only-upgrade -y curl libcurl3-gnutls }

✔ USN-5079-2 is resolved.

Found related USNs:
- USN-5079-1

Fixing related USNs:
- USN-5079-1
No affected source packages are installed.

✔ USN-5079-1 does not affect your system.

Summary:
✔ USN-5079-2 [requested] is resolved.
✔ USN-5079-1 [related] does not affect your system.

We can see that this command also fixed the related USN USN-5079-1. If you want to learn more about related USNs, refer to our explanation guide

Finally, we can see that that the attach command was successful, which can be verified by the status output we see when executing the command. Additionally, we observe that the USN is indeed fixed, which you can confirm by running the pro fix command again:

USN-5079-2: curl vulnerabilities
Associated CVEs:
 - https://ubuntu.com/security/CVE-2021-22946
 - https://ubuntu.com/security/CVE-2021-22947

Fixing requested USN-5079-2
1 affected package is installed: curl
(1/1) curl:
A fix is available in Ubuntu Pro: ESM Infra.
The update is already installed.

✔ USN-5079-2 is resolved.

Found related USNs:
 - USN-5079-1

Fixing related USNs:
 - USN-5079-1
No affected source packages are installed.

✔ USN-5079-1 does not affect your system.

Summary:
✔ USN-5079-2 [requested] is resolved.
✔ USN-5079-1 [related] does not affect your system.

Note

Even though we are not covering this scenario here, if you have an expired contract, pro fix will detect that and prompt you to attach a new token for your machine.

CVE/USN that require a Ubuntu Pro service#

Now, let’s assume that you have attached to an Ubuntu Pro subscription, but when running pro fix, the required service that fixes the issue is not enabled. In that situation, pro fix will also prompt you to enable that service.

To confirm that, run the following command to disable esm-infra:

$ sudo pro disable esm-infra

Now, you can run the following command:

$ sudo pro fix CVE-2023-1523

And you should see the following output (if you type E when prompted):

CVE-2023-1523: snapd vulnerability
 - https://ubuntu.com/security/CVE-2023-1523

1 affected source package is installed: snapd
(1/1) snapd:
A fix is available in Ubuntu Pro: ESM Infra.
The update is not installed because this system does not have
esm-infra enabled.

Choose: [E]nable esm-infra [C]ancel
> E
{ pro enable esm-infra }
Updating Ubuntu Pro: ESM Infra package lists
Ubuntu Pro: ESM Infra enabled
{ apt update && apt install --only-upgrade -y snapd ubuntu-core-launcher }

✔ CVE-2023-1523 is resolved.

We can observe that the required service was enabled and pro fix was able to successfully upgrade the affected package.

CVEs/USNs that require a reboot#

When running the pro fix command, sometimes we can install a package that requires a system reboot to complete. The pro fix command can detect that and will inform you about it.

You can confirm this by running the following fix command:

$ sudo pro fix CVE-2023-3817

Then you will see the following output:

CVE-2023-3817: OpenSSL vulnerabilities
 - https://ubuntu.com/security/CVE-2023-3817

1 affected source package is installed: openssl
(1/1) openssl:
A fix is available in Ubuntu Pro: ESM Infra.
{ apt update && apt install --only-upgrade -y libssl1.0.0 openssl }

A reboot is required to complete fix operation.
✘ CVE-2023-3817 is not resolved.

If we reboot the machine and run the command again, you will see that it is indeed fixed:

CVE-2023-3817: OpenSSL vulnerabilities
 - https://ubuntu.com/security/CVE-2023-3817

1 affected source package is installed: openssl
(1/1) openssl:
A fix is available in Ubuntu Pro: ESM Infra.
The update is already installed.

✔ CVE-2023-3817 is resolved.

Partially resolved CVEs/USNs#

Finally, you might run a pro fix command that only fixes some of the affected packages. This happens when only a subset of the packages have available updates to fix for that CVE/USN.

In this case, pro fix will tell you which package(s) it can or cannot fix. In the example, we install a package so we can run pro fix against it to demonstrate this scenario.

$ sudo apt-get install expat=2.1.0-7 swish-e matanza ghostscript

Now, you can run the following command:

$ sudo pro fix CVE-2017-9233

And you will see the following output:

CVE-2017-9233: Expat vulnerability
 - https://ubuntu.com/security/CVE-2017-9233

3 affected source packages are installed: expat, matanza, swish-e
(1/3, 2/3) matanza, swish-e:
Ubuntu security engineers are investigating this issue.
(3/3) expat:
A fix is available in Ubuntu standard updates.
{ apt update && apt install --only-upgrade -y expat }

2 packages are still affected: matanza, swish-e
✘ CVE-2017-9233 is not resolved.

We can see that two packages, matanza and swish-e, don’t have any fixes available, but there is one for expat. So, we install the fix for expat and at the end of the report we can see that some packages are still affected.

As before, we can also observe that in this scenario we mark the CVE/USN as not resolved.

Success!#

Congratulations! You have learned about the various scenarios that pro fix might encounter to be ready to understand what is happening when using it in a variety of situations.

Next steps#

There are further options to control what exactly will happen when running pro fix, read about them in:

If you need more information about this, please feel free to reach out to the Ubuntu Pro Client team on #ubuntu-server on Libera IRC – we’re happy to help!

Alternatively, if you have a GitHub account, click on the “Give feedback” link at the top of this page to leave us a message. We’d love to hear from you!