AWS Ubuntu Pro FIPS 18.04 LTS AMI

Thu Jan 20 01:17:01 UTC 2022

CCing ubuntu-devel-discuss for the wider devel audience to weigh in on.

MOST security scanners do NOT take into account the Ubuntu USNs for 
security release patching and go *strictly* on version number strings - 
in almost ALL of these cases, 'version based scanning' for 
vulnerabilities without *testing* for the vulnerability itself (i.e. an 
actual attempt to exploit the vulnerability) yields these kinds of false 
positives.  We see these all the time with 'image vulnerability 
scanners' at FT job, and when put into the Rapid7 InsightVM system which 
has privileged access to see the specific package versions installed and 
compares against the USNs results in 'no unpatched vulnerabilities' 
except for packages which haven't been updated yet because they're 
outside the standard updates cadence period (i.e. system kernels, 
because we manually upgrade those to prevent Out Of Disk problems on 
older systems).

If you really want to, you can compare the reported CVE IDs against the 
Security Team's CVE database to see *which* package versions are 
actually patched or not for what CVEs, by checking on the CVE ID itself 
at https://ubuntu.com/security/cve - this is the best way to check what 
your vulnerability scanner says for a given image.

Long story short, though, I would not trust a vulnerability scanner on 
its own without additional digging/research on my end to verify what is 
or isn't patched.

Additionally, Ubuntu Pro FIPS is an offering from Ubuntu Advantage, 
which is a FIPS-binaries-included image only available from a UA-I 
subscription or a private cloud on Canonical's stacks and such - you 
should probably be opening a support ticket with Canonical if you have 
an account with them on this, though they'll mostly say what I've said 
as there are a HUGE number of 'dumb' vulnerability scanners out there 
that throw these false positives without privileged access (into the 
image or running system) to do the scan.

If you do a deployment from a Cloud image, and then subsequently run 
your standard `apt update && apt dist-upgrade` tasks inside the running 
system, it should pull from the relevant repositories all the updates 
needed, which includes in these 'images'.  (I regularly see this even on 
LXD images on my LXD infrastructure, and a simple post-deployment update 
task updates to patch anything that *wasn't* patched when the image was 
created, though I can't speak for the FIPS images).

Thomas

On 1/18/22 16:52, Yan, Michael wrote:
> Hi,
>
> We are evaluating "Ubuntu Pro FIPS 18.04 LTS” for our k8s deployment in Cloud. After scanning the image with BlackDuck, there are 176 critical/high CVEs reported. I wonder if they are real security risks and what mitigation measures I can take. Does Ubuntu have such security scan report published somewhere?
>
> Thanks,
> Michael
>
> Disclaimer
>
> The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.
>
> This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more visit the Mimecast website.