Overview
The Ubuntu Security Podcast is back for 2022 and we’re starting off the
year with a bang💥! This week we bring you a special interview with Kees
Cook of Google and the Linux Kernel Self Protection Project discussing
Linux kernel hardening upstream developments. Plus we look at security
updates for Mumble, Apache Log4j2, OpenJDK and more.
This week in Ubuntu Security Updates
31 unique CVEs addressed
[USN-5195-1] Mumble vulnerability [01:02]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- Low-latency VoIP client - client / server model
- Client picks a server to connect to from public server list
- Malicious actor could register a server with a web URL that uses some
other protocol - e.g.
smb
to then refer to a .desktop
file
- When user chose the option to ‘Open Webpage’ for that server, would
automatically fetch and execute via underlying Qt framework libraries
QDesktopServices::openUrl
function
- Fixed to check URI scheme and only open if is http/https
- Wonder if this kind of vuln may be seen in other applications?
[USN-5192-2] Apache Log4j 2 vulnerability [02:13]
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
- Log4j2 update for 16.04 ESM - see Episode 142
[USN-5203-1] Apache Log4j 2 vulnerability
- 1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- More Log4j2 vulns - possible to crash applications using log4j2 by
specifying a crafted string that would get logged which would then cause
infinite recursion when doing lookup evaluation
- https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Log4Shell
[USN-5202-1] OpenJDK vulnerabilities [03:13]
- 14 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Mix of issues resolved with this latest point release update for
openjdk-8 and openjdk-11
- Info leak via FTP client impl when connecting to malicious FTP server
- Mishandling of JARs with multiple manifests -> signature verification bypass
- Sandbox escape via crafted Java class
- Use of weak crypto ciphers by default -> info leak
- DoS via malicious RTF, BMP or class files
- and more…
- 1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04) for Python 3.8/3.9
- 2 CVEs addressed in Bionic (18.04 LTS) for Python 3.6
- 3 CVEs addressed in Bionic (18.04 LTS) for Python 3.7/3.8
- 3 different DoS via urllib http client
- infinite loop when handling
100 Continue
responses - malicious HTTP
server could cause a DoS against clients - affects all
- ReDoS due to quadratic complexity regex in basic auth handling - only
affects Python 3.6->3.8 in Ubuntu 18.04
- Similar but different ReDos in basic auth handling - only affects
Python 3.7/3.8 in Ubuntu 18.04
[USN-5198-1] HTMLDOC vulnerability [05:37]
- 1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
- Used to covert HTML/Markdown files to generate EPUB/HTML/PS/PDF with ToC
etc
- Through fuzzing a NULL ptr deref was found if given crafted input HTML
file -> crash -> DoS
[USN-5186-2] Firefox regressions [06:06]
- 10 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- 95.0.1
- WebRender crash on some X11 systems
- Failure to connect to microsoft.com domains
Goings on in Ubuntu Security Community
Seth and John talk Linux Kernel Security with Kees Cook [06:53]
- Seth Arnold and John Johansen from the Ubuntu Security team chat with
Kees Cook from Google (KSPP) about Linux kernel hardening and
self-protection, including KASLR and FGKASLR, delving into the finer
points of linker scripts, kernel address pointer info leaks through debug
logs, detecting possible integer overflows in C by relying on undefined
behaviour of signed integer wraparound, hardware support for detecting
memory corruption and more.
Get in contact