Use pro fix
to solve CVE/USN#
The Ubuntu Pro Client (pro
) can be used to inspect and resolve
Common Vulnerabilities and Exposures (CVE)
and Ubuntu Security Notices (USN)
on your machine.
Every CVE/USN is fixed by trying to upgrade all of the affected packages described by the CVE or USN. Sometimes, the package fixes can only be applied if an Ubuntu Pro service is already enabled on your machine.
In this tutorial, we will introduce the pro fix
command and test some common
scenarios that you may encounter.
How to use this tutorial#
The commands in each code block can be copied and pasted directly into your terminal. You can use the “copy code” button to the right-hand side of the block and this will copy the code for you (without the command prompt!).
Install Multipass#
In this tutorial, we will use a Xenial Multipass virtual machine (VM) to avoid making any modifications to your machine. We have chosen Multipass for this tutorial because it allows us to easily launch VMs without requiring any complicated setup.
To install Multipass on your computer, please run the following command on your machine:
$ sudo snap install multipass
Create the Xenial Multipass virtual machine#
Now that we have installed Multipass, we can launch our Multipass VM by running:
$ multipass launch xenial --name dev-x
Now we can access the VM easily by running the command:
$ multipass shell dev-x
Notice that your terminal username and hostname will change to:
ubuntu@dev-x
This indicates that you are now inside the VM.
Finally, let’s run apt update
and apt upgrade
on the VM to make sure we are
operating on the correct version:
$ sudo apt update && sudo apt upgrade -y
From now on, every time we say: “run the command” our intention is for you to run that command in your VM.
Use pro fix
#
First, let’s see what happens to your system when pro fix
runs. We will choose
to fix a CVE that does not affect the VM – in this case,
CVE-2020-15180. This CVE address
security issues for the MariaDB
package, which is not installed on the system.
Let’s first confirm that it doesn’t affect the system by running this command:
$ pro fix CVE-2020-15180
You should see an output like this:
CVE-2020-15180: MariaDB vulnerabilities
https://ubuntu.com/security/CVE-2020-15180
No affected source packages are installed.
✔ CVE-2020-15180 does not affect your system.
Every pro fix
output has a similar output structure: it describes the
CVE/USN; displays the affected packages; fixes the affected packages; and at the
end, shows if the CVE/USN is fully fixed in the machine.
This is better demonstrated in a pro fix
call that does fix a package!
Let’s install a package on the VM that we know is associated with
CVE-2020-25686.
You can install the package by running these commands:
$ sudo apt update
$ sudo apt install dnsmasq=2.75-1
Now, let’s run pro fix
on the package:
$ sudo pro fix CVE-2020-25686
You will then see the following output:
CVE-2020-25686: Dnsmasq vulnerabilities
https://ubuntu.com/security/CVE-2020-25686
1 affected package is installed: dnsmasq
(1/1) dnsmasq:
A fix is available in Ubuntu standard updates.
{ apt update && apt install --only-upgrade -y dnsmasq }
✔ CVE-2020-25686 is resolved.
Note
We need to run the command with sudo
because we are now installing a package
on the system.
Whenever pro fix
has a package to upgrade, it follows a consistent structure
and displays the following, in this order:
The affected package
The availability of a fix
The location of the fix, if one is available
The command that will fix the issue
Also, at the end of the output you can see confirmation that the CVE was fixed
by the command. Just to confirm that the fix was successfully applied, let’s
run the pro fix
command again, and we should now see the following:
CVE-2020-25686: Dnsmasq vulnerabilities
https://ubuntu.com/security/CVE-2020-25686
1 affected package is installed: dnsmasq
(1/1) dnsmasq:
A fix is available in Ubuntu standard updates.
The update is already installed.
✔ CVE-2020-25686 is resolved.
CVE/USN without a released fix#
Some CVE/USN do not have a fix released yet. When that happens, pro fix
will
let you know! Before we reproduce this scenario, let us first install a package
that we know has no fix available by running:
$ sudo apt-get install -y expat=2.1.0-7 swish-e matanza ghostscript
Now, we can confirm that there is no fix by running the following command:
$ pro fix CVE-2017-9233
You will see the following output:
CVE-2017-9233: Coin3D vulnerability
- https://ubuntu.com/security/CVE-2017-9233
3 affected source packages are installed: expat, matanza, swish-e
(1/3, 2/3) matanza, swish-e:
Ubuntu security engineers are investigating this issue.
(3/3) expat:
A fix is available in Ubuntu standard updates.
{ apt update && apt install --only-upgrade -y expat }
2 packages are still affected: matanza, swish-e
✘ CVE-2017-9233 is not resolved.
As you can see, we are informed by pro fix
that some packages do not have a fix available. In
the last line, we can also see that the CVE is not resolved.
CVE/USN that require an Ubuntu Pro subscription#
Some package fixes can only be installed when the machine is attached to an
Ubuntu Pro subscription. When that happens, pro fix
will let you know about
that. To see an example of this scenario, you can run the following fix command:
$ sudo pro fix USN-5079-2
The command will prompt you for a response, like this:
USN-5079-2: curl vulnerabilities
Associated CVEs:
https://ubuntu.com/security/CVE-2021-22946
https://ubuntu.com/security/CVE-2021-22947
Fixing requested USN-5079-2
1 affected package is installed: curl
(1/1) curl:
A fix is available in Ubuntu Pro: ESM Infra.
The update is not installed because this system is not attached to a
subscription.
Choose: [S]ubscribe at ubuntu.com [A]ttach existing token [C]ancel
>
You can see that the prompt is asking for an Ubuntu Pro subscription token. Any user with a Ubuntu One account is entitled to a free personal token to use with Ubuntu Pro.
If you choose the Subscribe
option on the prompt, the command
will ask you to go to the
Ubuntu Pro portal. In the portal, you can get a free
subscription token by logging in with your “Single Sign On” (SSO) credentials;
the same credentials you use to log into https://login.ubuntu.com.
After getting your Ubuntu Pro token, you can hit Enter on the prompt and it will ask you to provide the token you just obtained. After entering the token you should now see the following output:
USN-5079-2: curl vulnerabilities
Associated CVEs:
https://ubuntu.com/security/CVE-2021-22946
https://ubuntu.com/security/CVE-2021-22947
1 affected package is installed: curl
(1/1) curl:
A fix is available in Ubuntu Pro: ESM Infra.
The update is not installed because this system is not attached to a
subscription.
Choose: [S]ubscribe at ubuntu.com [A]ttach existing token [C]ancel
>S
Open a browser to: https://ubuntu.com/pro
Hit [Enter] when subscription is complete.
Enter your token (from https://ubuntu.com/pro) to attach this system:
> TOKEN
{ pro attach TOKEN }
Enabling default service esm-infra
Updating package lists
Ubuntu Pro: ESM Infra enabled
This machine is now attached to 'SUBSCRIPTION'
SERVICE ENTITLED STATUS DESCRIPTION
cis yes disabled Center for Internet Security Audit Tools
esm-infra yes enabled Expanded Security Maintenance for Infrastructure
fips yes n/a NIST-certified core packages
fips-updates yes n/a NIST-certified core packages with priority security updates
livepatch yes n/a Canonical Livepatch service
NOTICES
Operation in progress: pro attach
Enable services with: pro enable <service>
Account: Ubuntu Pro Client Test
Subscription: SUBSCRIPTION
Valid until: 9999-12-31 00:00:00+00:00
Technical support level: essential
{ apt update && apt install --only-upgrade -y curl libcurl3-gnutls }
✔ USN-5079-2 is resolved.
Found related USNs:
- USN-5079-1
Fixing related USNs:
- USN-5079-1
No affected source packages are installed.
✔ USN-5079-1 does not affect your system.
Summary:
✔ USN-5079-2 [requested] is resolved.
✔ USN-5079-1 [related] does not affect your system.
We can see that this command also fixed related USN USN-5079-1. If you want to learn more about related USNs, refer to our explanation guide
Finally, we can see that that the attach command was successful, which can be verified
by the status output we see when executing the command. Additionally, we can
observe that the USN is indeed fixed, which you can confirm by running the
pro fix
command again:
USN-5079-2: curl vulnerabilities
Associated CVEs:
https://ubuntu.com/security/CVE-2021-22946
https://ubuntu.com/security/CVE-2021-22947
1 affected package is installed: curl
(1/1) curl:
A fix is available in Ubuntu Pro: ESM Infra.
The update is already installed.
✔ USN-5079-2 is resolved.
Note
Even though we are not covering this scenario here, if you have an expired
contract, pro fix
will detect that and prompt you to attach a new token for
your machine.
CVE/USN that require a Ubuntu Pro service#
Now, let’s assume that you have attached to an Ubuntu Pro subscription, but
when running pro fix
, the required service that fixes the issue is not
enabled. In that situation, pro fix
will also prompt you to enable that
service.
To confirm that, run the following command to disable esm-infra
:
$ sudo pro disable esm-infra
Now, you can run the following command:
$ sudo pro fix CVE-2021-44731
And you should see the following output (if you type E
when
prompted):
CVE-2021-44731: snapd vulnerabilities
https://ubuntu.com/security/CVE-2021-44731
1 affected package is installed: snapd
(1/1) snapd:
A fix is available in Ubuntu Pro: ESM Infra.
The update is not installed because this system does not have
esm-infra enabled.
Choose: [E]nable esm-infra [C]ancel
> E
{ pro enable esm-infra }
One moment, checking your subscription first
Updating package lists
Ubuntu Pro: ESM Infra enabled
{ apt update && apt install --only-upgrade -y ubuntu-core-launcher snapd }
✔ CVE-2021-44731 is resolved.
You can observe that the required service was enabled and pro fix
was able to
successfully upgrade the affected package.
CVE/USN that require a reboot#
When running the pro fix
command, sometimes we can install a package that
requires a system reboot to complete. The pro fix
command can detect that and
will inform you about it.
You can confirm this by running the following fix command:
$ sudo pro fix CVE-2022-0778
Then you will see the following output:
CVE-2022-0778: OpenSSL vulnerability
https://ubuntu.com/security/CVE-2022-0778
1 affected package is installed: openssl
(1/1) openssl:
A fix is available in Ubuntu Pro: ESM Infra.
{ apt update && apt install --only-upgrade -y libssl1.0.0 openssl }
A reboot is required to complete fix operation.
✘ CVE-2022-0778 is not resolved.
If we reboot the machine and run the command again, you will see that it is indeed fixed:
CVE-2022-0778: OpenSSL vulnerability
https://ubuntu.com/security/CVE-2022-0778
1 affected package is installed: openssl
(1/1) openssl:
A fix is available in Ubuntu Pro: ESM Infra.
The update is already installed.
✔ CVE-2022-0778 is resolved.
Partially resolved CVE/USN#
Finally, you might run a pro fix
command that only fixes some of the packages
affected. This happens when only a subset of the packages have available updates
to fix for that CVE/USN.
In this case, pro fix
will tell you which package(s) it can or cannot fix.
But first, let’s install a package so we can run pro fix
to demonstrate this
scenario.
$ sudo apt-get install expat=2.1.0-7 swish-e matanza ghostscript
Now, you can run the following command:
$ sudo pro fix CVE-2017-9233
And you will see the following output:
CVE-2017-9233: Expat vulnerability
https://ubuntu.com/security/CVE-2017-9233
3 affected packages are installed: expat, matanza, swish-e
(1/3, 2/3) matanza, swish-e:
Sorry, no fix is available.
(3/3) expat:
A fix is available in Ubuntu standard updates.
{ apt update && apt install --only-upgrade -y expat }
2 packages are still affected: matanza, swish-e
✘ CVE-2017-9233 is not resolved.
We can see that two packages, matanza
and swish-e
, don’t have any fixes
available, but there is one for expat
. So, we install the fix for expat
and
at the end of the report we can see that some packages are still affected.
As before, we can also observe that in this scenario we mark the CVE/USN as not resolved.
Close down the VM#
Congratulations! You successfully ran a Multipass VM and used it to encounter
and resolve the main scenarios that you might find when you run pro fix
.
When you are finished and want to leave the tutorial, you can shut down the VM by first pressing CTRL+D to exit it, and then running the following commands to delete the VM completely:
$ multipass delete dev-x
$ multipass purge
Next steps#
We have successfully encountered and resolved the main scenarios that you might
find when you run pro fix
.
If you need more information about this command, please feel free to reach out
to the Ubuntu Pro Client team on #ubuntu-server
on
Libera IRC –
we’re happy to help!
Alternatively, if you have a GitHub account, click on the “Have a question?” link at the top of this page to leave us a message. We’d love to hear from you!