<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> </head> <body> CCing ubuntu-devel-discuss for the wider devel audience to weigh in on. MOST security scanners do NOT take into account the Ubuntu USNs for security release patching and go *strictly* on version number strings - in almost ALL of these cases, 'version based scanning' for vulnerabilities without *testing* for the vulnerability itself (i.e. an actual attempt to exploit the vulnerability) yields these kinds of false positives. We see these all the time with 'image vulnerability scanners' at FT job, and when put into the Rapid7 InsightVM system which has privileged access to see the specific package versions installed and compares against the USNs results in 'no unpatched vulnerabilities' except for packages which haven't been updated yet because they're outside the standard updates cadence period (i.e. system kernels, because we manually upgrade those to prevent Out Of Disk problems on older systems). If you really want to, you can compare the reported CVE IDs against the Security Team's CVE database to see *which* package versions are actually patched or not for what CVEs, by checking on the CVE ID itself at <a class="moz-txt-link-freetext" href="https://ubuntu.com/security/cve">https://ubuntu.com/security/cve</a> - this is the best way to check what your vulnerability scanner says for a given image. Long story short, though, I would not trust a vulnerability scanner on its own without additional digging/research on my end to verify what is or isn't patched. Additionally, Ubuntu Pro FIPS is an offering from Ubuntu Advantage, which is a FIPS-binaries-included image only available from a UA-I subscription or a private cloud on Canonical's stacks and such - you should probably be opening a support ticket with Canonical if you have an account with them on this, though they'll mostly say what I've said as there are a HUGE number of 'dumb' vulnerability scanners out there that throw these false positives without privileged access (into the image or running system) to do the scan. If you do a deployment from a Cloud image, and then subsequently run your standard `apt update && apt dist-upgrade` tasks inside the running system, it should pull from the relevant repositories all the updates needed, which includes in these 'images'. (I regularly see this even on LXD images on my LXD infrastructure, and a simple post-deployment update task updates to patch anything that *wasn't* patched when the image was created, though I can't speak for the FIPS images). Thomas <div class="moz-cite-prefix">On 1/18/22 16:52, Yan, Michael wrote: </div> <blockquote type="cite" cite="mid:F95CED10-DCEE-4A65-B794-9581E4308638@microstrategy.com"> <pre class="moz-quote-pre" wrap="">Hi, We are evaluating "Ubuntu Pro FIPS 18.04 LTS” for our k8s deployment in Cloud. After scanning the image with BlackDuck, there are 176 critical/high CVEs reported. I wonder if they are real security risks and what mitigation measures I can take. Does Ubuntu have such security scan report published somewhere? Thanks, Michael Disclaimer The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful. This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more visit the Mimecast website. </pre> </blockquote> </body> </html>