Ubuntu pro reports CVE falsely as fixed
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ubuntu-advantage-tools (Ubuntu) |
Fix Released
|
Undecided
|
Lucas Albuquerque Medeiros de Moura | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned | ||
Kinetic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
In some cases, a machine may not have access to the version of a package that we assume to be available in `pro fix`. The result is that `pro fix` says "CVE-1234 is resolved" after a successful `apt install` command, even though the version with the fix was not actually installed. This is a misleading message and may lead users to believe they are safe from the given CVE when they are not.
The fix is to check the local apt-cache before trying to install a version to make sure that the candidate version is the one with the fix applied. Only then do we proceed with the `apt install` and say that the CVE is resolved.
[Test Case]
This will be covered by our full test run for u-a-t 27.14.
The specific test that covers this scenario can be inspected here:
https:/
[Regression Potential]
The new code to prevent this situation is an additional check before attempting to install the update. If there is a mistake in the implementation, it could prevent `pro fix` from resolving CVEs that can be resolved.
[Original Description]
pro version: 27.13.3-18.01.1
When running:
sudo pro fix CVE-2023-0286
CVE-2023-0286: OpenSSL vulnerabilities
https:/
2 affected source packages are installed: openssl, openssl1.0
(1/2, 2/2) openssl, openssl1.0:
A fix is available in Ubuntu standard updates.
{ apt update && apt install --only-upgrade -y libssl1.0.0 libssl1.1 openssl }
✔ CVE-2023-0286 is resolved.
The last line states that the CVE is resolved, but when checking it via apt policy, it is still the old version
apt policy openssl
openssl:
Installed: 1.1.1-1ubuntu2.
Candidate: 1.1.1-1ubuntu2.
Version table:
*** 1.1.1-1ubuntu2.
500 https:/
(expected version is 1.1.1-1ubuntu2.
Reason for the update not working is because the repositories the machine is subscribed to do not contain the fix.
The bug I want to file is the last line of the 'pro fix' command, being ' ✔ CVE-2023-0286 is resolved.'
This (presumably) is stated there because the apt install command successfully was able to run, but that does not mean the CVE is fixed (in this case, I had no repository in my sources.list offering the patch).
Suggestion to change that last line to: "❌ CVE-2023-0286 is not resolved."
Reason for reporting this as a security issue is the false claiming of a fixed security vulnerability.
CVE References
Changed in ubuntu-advantage-tools (Ubuntu): | |
assignee: | nobody → Lucas Albuquerque Medeiros de Moura (lamoura) |
Changed in ubuntu-advantage-tools (Ubuntu): | |
status: | New → Confirmed |
description: | updated |
description: | updated |
Hi Jonathan,
Thanks for taking the time to report this bug and helping to make Ubuntu better.
I will share this bug with the maintainers of the pro tool, and get this sorted out soon.