Check if a system is affected by a list of CVEs#
The Ubuntu Pro Client (pro
) can be used to inspect and resolve
Common Vulnerabilities and Exposures (CVEs) and
Ubuntu Security Notices (USNs) on your machine.
Every CVE/USN is fixed by trying to upgrade all of the affected packages described by the CVE or USN. Sometimes, the package fixes can only be applied if an Ubuntu Pro service is already enabled on your machine.
If you have a list of CVEs and/or USNs and want to check if your Ubuntu
system is affected by them, you can check using the
u.pro.security.fix.cve.plan.v1
API endpoint as we’ll show you in this guide.
Note
The u.pro.security.fix.cve.plan
API endpoint is provided as part of the
Ubuntu Pro Client (pro
), which is a security tool for Ubuntu systems.
The Ubuntu Pro Client comes pre-installed on every Ubuntu system. You can
run pro help
in your terminal window to see a list of the pro
services and commands available.
Using the pro.fix.cve.plan
API#
To check if your system is affected by a list of CVEs, you need to use the
u.pro.security.fix.cve.plan.v1
API endpoint, since the
pro fix --dry-run
CLI command is only used to check individual CVEs. The
API endpoint will output a JSON blob containing the current status of each CVE,
as can be seen in the endpoint documentation.
To better visualise the current status of each CVE from the JSON output we can
use a jq
filter. The jq
command can parse JSON data directly in the
terminal, creating a more readable output. For more details about jq
, refer
to the manual page
First, we need to install jq
by running the following command:
sudo apt update & sudo apt install jq -y
Once jq
is installed, we can parse the JSON data returned from the plan API.
For example, if we want to see if our system is affected by the CVEs:
CVE-2020-28196
CVE-2020-15180
CVE-2017-9233
We make use of the plan API by running the following command:
pro api u.pro.security.fix.cve.plan.v1 --data '{"cves": ["CVE-2020-28196", "CVE-2020-15180", "CVE-2017-9233"]}' \
| jq -r '.data.attributes.cves_data.cves[] | "\(.title) (\(.description)) - Current Status: \(.current_status)"'
This command returns output with the following structure:
CVE-2020-28196 (Kerberos vulnerability) - Current Status: not-affected
CVE-2020-15180 (MariaDB vulnerabilities) - Current Status: not-affected
CVE-2017-9233 (Coin3D vulnerability) - Current Status: not-affected
Note that each entry in this output consists of three fields:
CVE NAME: The name of the CVE
CVE DESCRIPTION: The description of the CVE
CVE STATUS: The current status of the CVE