How to check if a system is affected by a CVE/USN?#

The Ubuntu Pro Client (pro) can be used to inspect and resolve Common Vulnerabilities and Exposures (CVEs) and Ubuntu Security Notices (USNs) on your machine.

Every CVE/USN is fixed by trying to upgrade all of the affected packages described by the CVE or USN. Sometimes, the package fixes can only be applied if an Ubuntu Pro service is already enabled on your machine.

If you’ve found a Common Vulnerabilities and Exposure (CVEs) and Ubuntu Security Notice (USNs) and want to check if your Ubuntu system is affected by it, you can check using the pro fix command as we’ll show you in this guide.


The pro fix command is part of the Ubuntu Pro Client (pro), which is a security tool for Ubuntu systems. The Ubuntu Pro Client comes pre-installed on every Ubuntu system. You can run pro help in your terminal window to see a list of the pro services and commands available.

Perform a “dry run”#

A “dry run” lets you simulate running the pro fix command without actually making any changes to your system. This is useful for checking if a CVE affects your system and whether a fix is available.

Let’s see what happens when we perform a dry run with the pro fix command.

Every pro fix output has a similar output structure. It:

  • describes the CVE/USN;

  • displays the affected packages;

  • fixes the affected packages; and

  • at the end, shows if the CVE/USN is fully fixed in the machine.

To perform a dry run, use the --dry-run option with the pro fix command followed by the CVE identifier:

pro fix --dry-run CVE-XXXX-XXXX

Replace CVE-XXXX-XXXX with the actual CVE identifier you want to check.

Output of a “dry run”#

The output of the dry run will indicate whether your system is affected by the CVE and if a fix is available. Here are some possible scenarios:

CVE does not affect your system#

Here, for example, We will choose to fix a CVE that does not affect the system – for example if you do not have MariaDB installed and want to check CVE-2020-15180.

pro fix --dry-run CVE-2020-15180

You should see an output like this:

CVE-2020-15180: MariaDB vulnerabilities

No affected source packages are installed.

✔ CVE-2020-15180 does not affect your system.

CVE affects your system, and a fix is available#

Let’s simulate a scenario where an older package associated with CVE-2020-25686 is installed on the machine.

sudo pro fix --dry-run CVE-2020-25686

The output will indicate that the system is affected and a fix is available:

CVE-2020-25686: Dnsmasq vulnerabilities

1 affected package is installed: dnsmasq
(1/1) dnsmasq:
A fix is available in Ubuntu standard updates.
{ apt update && apt install --only-upgrade -y dnsmasq }

✔ CVE-2020-25686 is resolved.

CVE affects your system, but no fix is available#

Some CVEs/USNs do not have a fix released yet. When that happens, the dry run output will let you know. This is example output created in the past, for which there might be fixes later on. To create this scenario we installed a known affected package with no fix (at the time) and then checked for an available fix:

sudo apt-get install -y expat=2.1.0-7 swish-e matanza ghostscript

Now, we can confirm that there is no fix by running the following command:

pro fix --dry-run CVE-2017-9233

You will see the following output:

CVE-2017-9233: Coin3D vulnerability

3 affected source packages are installed: expat, matanza, swish-e
(1/3, 2/3) matanza, swish-e:
Ubuntu security engineers are investigating this issue.
(3/3) expat:
A fix is available in Ubuntu standard updates.
{ apt update && apt install --only-upgrade -y expat }

2 packages are still affected: matanza, swish-e
✘ CVE-2017-9233 is not resolved.

CVE that requires a Pro service#

Assuming you have attached to a Pro subscription, when running the pro fix command you may see that the service required to fix the issue is not enabled. In this situation, pro fix will also prompt you to enable that service.

For example, if you want to fix the issue CVE-2023-1523 which requires the Pro service esm-infra and you run the following command:

sudo pro fix --dry-run CVE-2023-1523

You will see the following output (if you type E to enable the service when prompted):

CVE-2023-1523: snapd vulnerability

1 affected source package is installed: snapd
(1/1) snapd:
A fix is available in Ubuntu Pro: ESM Infra.
The update is not installed because this system does not have
esm-infra enabled.

Choose: [E]nable esm-infra [C]ancel
> E
{ pro enable esm-infra }
Updating Ubuntu Pro: ESM Infra package lists
Ubuntu Pro: ESM Infra enabled
{ apt update && apt install --only-upgrade -y snapd ubuntu-core-launcher }

✔ CVE-2023-1523 is resolved.

We can observe that the required service was enabled and pro fix was able to successfully upgrade the affected package.

Here we see how performing a dry run with the pro fix command is a quick and safe way to check if your system is affected by a specific CVE and also see if a fix is available.


Here we see how performing a dry run with the pro fix command is a quick and safe way to check if your system is affected by a specific CVE and also see if a fix is available. If a fix is available, you can apply the fix by running the command provided in the output. To learn how to resolve a CVE using the pro fix command, refer to the guide on How to resolve a CVE/USN.

Additional resources#

This is not the only scenario where you might want to use pro fix. To find out about the other situations where it can be useful, as well as which options can be used to give you greater control over the command, you can refer to the following guides:

If you need more information about this, please feel free to reach out to the Ubuntu Pro Client team on #ubuntu-server on Libera IRC – we’re happy to help!

Alternatively, if you have a GitHub account, click on the “Give feedback” link at the top of this page to leave us a message. We’d love to hear from you!