Use pro fix to solve a CVE/USN

The Ubuntu Pro Client (pro) can be used to inspect and resolve Common Vulnerabilities and Exposures (CVEs) and Ubuntu Security Notices (USNs) on your machine.

Every CVE/USN is fixed by trying to upgrade all of the affected packages described by the CVE or USN. Sometimes, the package fixes can only be applied if an Ubuntu Pro service is already enabled on your machine.

In this tutorial, we will introduce the pro fix command and guide you through a simple example of using it to solve a CVE/USN.

There might be more scenarios that you may encounter using pro fix, but those are distracting from this tutorial and therefore available in the separate How to Understand scenarios encountered using pro fix to solve a CVE/USN.

Install Multipass

In this tutorial, we will use a Xenial Multipass virtual machine (VM) to avoid making any modifications to your machine. We have chosen Multipass for this tutorial because it allows us to easily launch VMs without requiring any complicated setup.

To install Multipass on your computer, run the following command on your machine:

$ sudo snap install multipass

Create the Xenial Multipass VM

Now that we have installed Multipass, we can launch our Multipass VM by running this command:

$ multipass launch xenial --name dev-x

Now we can access the VM by running the command:

$ multipass shell dev-x

Notice that when you run this command, your terminal username and hostname change to:

ubuntu@dev-x

This indicates that you are now inside the VM.

Finally, let’s run apt update and apt upgrade on the VM to make sure we are operating on the correct version of Xenial:

$ sudo apt update && sudo apt install ubuntu-advantage-tools

From now on, every time we say: “run the command” our intention is for you to run that command inside your VM.

Use pro fix

Every pro fix output has a similar output structure. It:

• describes the CVE/USN;

• displays the affected packages;

• fixes the affected packages; and

• at the end, shows if the CVE/USN is fully fixed in the machine.

This is best demonstrated in a pro fix call that does fix a package.

Therefore let us install an older package on the VM that we know is associated with CVE-2020-25686. You can install the package by running these commands:

$ sudo apt update
$ sudo apt install dnsmasq=2.75-1

Now, let’s run pro fix on the CVE:

$ sudo pro fix CVE-2020-25686

You will then see the following output:

CVE-2020-25686: Dnsmasq vulnerabilities
https://ubuntu.com/security/CVE-2020-25686

1 affected package is installed: dnsmasq
(1/1) dnsmasq:
A fix is available in Ubuntu standard updates.
{ apt update && apt install --only-upgrade -y dnsmasq }

✔ CVE-2020-25686 is resolved.

Note

We need to run the command with sudo because it will be installing a package on the system.

Whenever pro fix has a package to upgrade, it follows a consistent structure and displays the following, in this order:

1. The affected package

2. The availability of a fix

3. The location of the fix, if one is available

4. The command that will fix the issue

Also, at the end of the output you can see confirmation that the CVE was fixed by the command. Just to confirm that the fix was successfully applied, let’s run the pro fix command again, and we should now see the following:

CVE-2020-25686: Dnsmasq vulnerabilities
https://ubuntu.com/security/CVE-2020-25686

1 affected package is installed: dnsmasq
(1/1) dnsmasq:
A fix is available in Ubuntu standard updates.
The update is already installed.

✔ CVE-2020-25686 is resolved.

Success!

Congratulations! You successfully ran a Multipass VM and used it to encounter and resolve a CVE by using pro fix.

Close down the VM

When you are finished and want to leave the tutorial, you can shut down the VM by first pressing CTRL + D to exit it, and then running the following commands to delete the VM completely:

$ multipass delete dev-x
$ multipass purge

Next steps

We have successfully encountered and resolved the main scenarios that you might find when you run pro fix.

This is not the only scenario where you might want to use pro fix. To find out about the other situations where it can be useful, as well as which options can be used to give you greater control over the command, you can refer to the following guides:

• In Understanding scenarios encountered when using pro fix to solve a CVE/USN you can continue using the test environment you created here to explore different scenarios you might encounter and understand the different outputs you will find.

• How do I know what the pro fix command would change? will show you how to use pro fix in --dry-run mode to safely simulate the changes before they’re applied.

• How to skip fixing related USNs will show you how to only fix a single USN, even if other fixes are available.

If you need more information about this, please feel free to reach out to the Ubuntu Pro Client team on #ubuntu-server on Libera IRC – we’re happy to help!

Alternatively, if you have a GitHub account, click on the “Give feedback” link at the top of this page to leave us a message. We’d love to hear from you!