Check if a system is affected by a list of CVEs#

The Ubuntu Pro Client (pro) can be used to inspect and resolve Common Vulnerabilities and Exposures (CVEs) and Ubuntu Security Notices (USNs) on your machine.

Every CVE/USN is fixed by trying to upgrade all of the affected packages described by the CVE or USN. Sometimes, the package fixes can only be applied if an Ubuntu Pro service is already enabled on your machine.

If you have a list of CVEs and/or USNs and want to check if your Ubuntu system is affected by them, you can check using the u.pro.security.fix.cve.plan.v1 API endpoint as we’ll show you in this guide.

Note

The u.pro.security.fix.cve.plan API endpoint is provided as part of the Ubuntu Pro Client (pro), which is a security tool for Ubuntu systems. The Ubuntu Pro Client comes pre-installed on every Ubuntu system. You can run pro help in your terminal window to see a list of the pro services and commands available.

Using the pro.fix.cve.plan API#

To check if your system is affected by a list of CVEs, you need to use the u.pro.security.fix.cve.plan.v1 API endpoint, since the pro fix --dry-run CLI command is only used to check individual CVEs. The API endpoint will output a JSON blob containing the current status of each CVE, as can be seen in the endpoint documentation.

To better visualise the current status of each CVE from the JSON output we can use a jq filter. The jq command can parse JSON data directly in the terminal, creating a more readable output. For more details about jq, refer to the manual page

First, we need to install jq by running the following command:

sudo apt update & sudo apt install jq -y

Once jq is installed, we can parse the JSON data returned from the plan API.

For example, if we want to see if our system is affected by the CVEs:

  • CVE-2020-28196

  • CVE-2020-15180

  • CVE-2017-9233

We make use of the plan API by running the following command:

pro api u.pro.security.fix.cve.plan.v1 --data '{"cves": ["CVE-2020-28196", "CVE-2020-15180", "CVE-2017-9233"]}' \
     | jq -r '.data.attributes.cves_data.cves[] | "\(.title) (\(.description)) - Current Status: \(.current_status)"'

This command returns output with the following structure:

CVE-2020-28196 (Kerberos vulnerability) - Current Status: not-affected
CVE-2020-15180 (MariaDB vulnerabilities) - Current Status: not-affected
CVE-2017-9233 (Coin3D vulnerability) - Current Status: not-affected

Note that each entry in this output consists of three fields:

  • CVE NAME: The name of the CVE

  • CVE DESCRIPTION: The description of the CVE

  • CVE STATUS: The current status of the CVE