Evaluate CVEs in Ubuntu 20.04 Publisher Images

Evaluate CVEs in Ubuntu 20.04 Publisher Images

Step 1: Review the Report

First, identify any CVE numbers listed in the scan report. CVE numbers follow this format: CVE-2023-44487

Step 2: Research Available Fixes

After you have identified a CVE number and its affected component, search for available patches using Ubuntu’s official security database:https://ubuntu.com/security/{CVE number}

Example: For CVE-2023-44487, visit https://ubuntu.com/security/CVE-2023-44487

This page provides detailed information about the vulnerability and Ubuntu’s official response. For instance, if the affected component is the nghttp2 library, look for the corresponding section. Search for focal (Ubuntu 20.04’s codename) to find the patched version. A release version like 1.40.0-1ubuntu0.2 indicates that upgrading to this version will resolve the vulnerability.

Common Status Definitions

(Reference: How to read CVE)

  • Not vulnerable/Not affected: Your system is not at risk.
  • Needs triage: Ubuntu is currently evaluating the vulnerability.
  • Ignored: Ubuntu has decided not to address the issue because:
    • The vulnerability doesn’t require a fix (check the Notes section for explanations).
    • The OS has reached End-of-Life (EOL) and no longer receives updates.
  • Needed/Pending: A patch is in development
  • Released: An update is available to patch the vulnerability
    • Available with Ubuntu Pro: Patch is only accessible to Ubuntu Pro subscribers; alternative mitigation strategies should be considered

Step 3. Find the mitigation (if needed)

You can visit the below link to get the vulnerability detail.

https://nvd.nist.gov/vuln/detail/{CVE number}

For example: https://nvd.nist.gov/vuln/detail/CVE-2023-44487

Sometimes, you can get mitigation from your detailed report.

And there are some common mitigations:

  • Remove the affected component if the component is not necessary.
  • Prevent to use the affected component:
    • Sometimes you can see the component is vulnerable in a specific situation, suggest our customer be aware of it.
    • Disable the component if the customer is not using it.

List of CVEs Without Patches Provided by Ubuntu > 2 years

CVE Official report from Ubuntu Mitigation plan from Netskope
CVE-2021-21240 https://ubuntu.com/security/CVE-2021-21240 python3-httplib2 is not part of necessary components of NPA publisher. You can decide if you want to remove it manually by running the command on the host OS. This vulnerability can only be exploited when python software code connects to a malious webserver. which minimizes the risk since this is not in use in our solution and only connect to Netskope and the official docker and ubuntu repositories.
sudo apt-get remove python3-httplib2
CVE-2020-15778 https://ubuntu.com/security/CVE-2020-15778 If scp is not used in user’s environment, the code can be removed from the host by using the below method, scp is often used temporarily to download log files for Netskope support, but is not needed otherwiseRun the command on the host OS.
sudo rm /usr/bin/scp

Note

Any upgrade to openssh-client will bring back the SCP and will require the same action again. This vulnerability is only exploitable by a potential malicious insider since a user needs SSH access to be able to perform the exploit.

Share this Doc

Evaluate CVEs in Ubuntu 20.04 Publisher Images

Or copy link

In this topic ...