Hi,
We have come across some confusion regarding the affected packages in one of the Ubuntu Linux Kernel advisories released: USN-7088-1: Linux kernel vulnerabilities | Ubuntu security notices | Ubuntu
As you can see, the advisory published mentions the below packages under the Update instructions section:
"Ubuntu 20.04
linux-image-5.4.0-1082-ibm - 5.4.0-1082.87
linux-image-5.4.0-1102-gkeop - 5.4.0-1102.106
linux-image-5.4.0-1139-gcp - 5.4.0-1139.148
linux-image-5.4.0-200-generic - 5.4.0-200.220
linux-image-5.4.0-200-generic-lpae - 5.4.0-200.220
linux-image-5.4.0-200-lowlatency - 5.4.0-200.220
linux-image-gcp-lts-20.04 - 5.4.0.1139.141
linux-image-generic - 5.4.0.200.196
linux-image-generic-lpae - 5.4.0.200.196
linux-image-gkeop - 5.4.0.1102.100
linux-image-gkeop-5.4 - 5.4.0.1102.100
linux-image-ibm-lts-20.04 - 5.4.0.1082.111
linux-image-lowlatency - 5.4.0.200.196
linux-image-oem - 5.4.0.200.196
linux-image-oem-osp1 - 5.4.0.200.196
linux-image-virtual - 5.4.0.200.196"
The Ubuntu security oval data available from Ubuntu Oval | Security | Ubuntu for Ubuntu 20.04 (com.ubuntu.focal.usn.oval.xml) also has only these packages checked in the detection OVAL script written.
Now the confusion derives from the security updates list available in the machine when running the below command:
apt list --upgradable | grep "\-security" | grep "linux"
linux-cloud-tools-common/focal-updates,focal-updates,focal-security,focal-security 5.4.0-200.220 all [upgradable from: 5.4.0-26.30]
linux-tools-common/focal-updates,focal-updates,focal-security,focal-security 5.4.0-200.220 all [upgradable from: 5.4.0-26.30]
util-linux/focal-updates,focal-security 2.34-0.1ubuntu9.6 amd64 [upgradable from: 2.34-0.1ubuntu9]
Here we can observe that the same version (5.4.0-200.220) is available under security updates for linux-cloud-tools-common and linux-tools-common packages that are not even mentioned in the USN advisory link stated above or even present in the Ubuntu Oval definition written in com.ubuntu.focal.usn.oval.xml. Also, these packages don’t even get updated as dependencies of the other packages mentioned in the advisory.
If this is a security update for the packages mentioned above (linux-cloud-tools-common and linux-tools-common), why it is not even considered in the Oval detection script published from Ubuntu?
Hi Ashwitha,
the kernel source packages generate many binaries as you can see here for the linux source package:
https://packages.ubuntu.com/source/focal-updates/linux
linux-cloud-tools-common and linux-tools-common are both binaries coming from a kernel source package but they don’t necessarily need to be installed for your kernel to run. Both provide specific tools that you can use. Those tools will only be executed if you manually or automatically run them in some way.
In USNs and OVAL we trim that list down the list of kernel binaries to only the actual kernel image that will be running on your system, which is the linux-image-* binaries, as most vulnerabilities apply to the kernel itself rather than the tooling. That way we can have a small enough human readable USN and a OVAL file that is not too big in size.
In our USNs the list of packages listed is also just for the sake of information, we don’t expect nor advise people to only update the packages listed there, but instead that they execute a normal apt upgrade
Lastly for OVAL, since you can have many different linux-image-*, as you certainly do, so you can rollback in case of issues, we don’t look for the installed images, but instead we look for which kernel image is currently running, that’s why we wouldn’t check for other binaries.
Does that help clarify your doubt?
Hi Ebarretto,
Thanks for sharing this information, it was really helpful. I have another query as you said:
" In our USNs the list of packages listed is also just for the sake of information, we don’t expect nor advise people to only update the packages listed there, but instead that they execute a normal apt upgrade"
Does this mean the Ubuntu Oval detection script will not identify all the vulnerable packages installed in the machine? According to the definition, if the machine is installed with only linux-cloud-tools-common and linux-tools-common vulnerable versions without the packages mentioned in the advisory, it is not even going to identify the vulnerability.
The security patch information command output shared earlier from the machine shows updates for these packages, whereas the OVAL script does not detect them at all. Is this a case of false negative detection?
Hi Ashwitha,
As I’ve mentioned above, for OVAL we only check for the running kernel.
Even though a vulnerability is found for the kernel source, it does not mean that all binaries generated from its source are affected by it, hence the reason we only check for the running kernel. There’s no way to say it is a false negative or a false positive if you don’t actually do a binary investigation to know if the vulnerability affect the binaries like linux-cloud-tools-common or linux-tools-common. And again, we expect people to do the normal upgrade procedure instead of choosing what to update.