Episode 145
The Ubuntu Security Podcast is back for 2022 and we're starting off the year with a bang💥! This week we bring you a special interview with Kees Cook of Google and the Linux Kernel Self Protection Project discussing Linux kernel...
Ubuntu Security Podcast · Ubuntu Security Team
January 6, 202256m 49s
Audio is streamed directly from the publisher (people.canonical.com) as published in their RSS feed. Play Podcasts does not host this file. Rights-holders can request removal through the copyright & takedown page.
Show Notes
Overview
The Ubuntu Security Podcast is back for 2022 and we’re starting off the year with a bang💥! This week we bring you a special interview with Kees Cook of Google and the Linux Kernel Self Protection Project discussing Linux kernel hardening upstream developments. Plus we look at security updates for Mumble, Apache Log4j2, OpenJDK and more.
This week in Ubuntu Security Updates
31 unique CVEs addressed
[USN-5195-1] Mumble vulnerability [01:02]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- Low-latency VoIP client - client / server model
- Client picks a server to connect to from public server list
- Malicious actor could register a server with a web URL that uses some
other protocol - e.g.
smbto then refer to a.desktopfile - When user chose the option to ‘Open Webpage’ for that server, would
automatically fetch and execute via underlying Qt framework libraries
QDesktopServices::openUrlfunction - Fixed to check URI scheme and only open if is http/https
- Wonder if this kind of vuln may be seen in other applications?
[USN-5192-2] Apache Log4j 2 vulnerability [02:13]
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
- Log4j2 update for 16.04 ESM - see Episode 142
[USN-5203-1] Apache Log4j 2 vulnerability
- 1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- More Log4j2 vulns - possible to crash applications using log4j2 by specifying a crafted string that would get logged which would then cause infinite recursion when doing lookup evaluation
- https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Log4Shell
[USN-5202-1] OpenJDK vulnerabilities [03:13]
- 14 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Mix of issues resolved with this latest point release update for openjdk-8 and openjdk-11
- Info leak via FTP client impl when connecting to malicious FTP server
- Mishandling of JARs with multiple manifests -> signature verification bypass
- Sandbox escape via crafted Java class
- Use of weak crypto ciphers by default -> info leak
- DoS via malicious RTF, BMP or class files
- and more…
[USN-5199-1, USN-5200-1, USN-5201-1] Python vulnerabilities [04:26]
- 1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04) for Python 3.8/3.9
- 2 CVEs addressed in Bionic (18.04 LTS) for Python 3.6
- 3 CVEs addressed in Bionic (18.04 LTS) for Python 3.7/3.8
- 3 different DoS via urllib http client
- infinite loop when handling
100 Continueresponses - malicious HTTP server could cause a DoS against clients - affects all - ReDoS due to quadratic complexity regex in basic auth handling - only affects Python 3.6->3.8 in Ubuntu 18.04
- Similar but different ReDos in basic auth handling - only affects Python 3.7/3.8 in Ubuntu 18.04
- infinite loop when handling
[USN-5198-1] HTMLDOC vulnerability [05:37]
- 1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
- Used to covert HTML/Markdown files to generate EPUB/HTML/PS/PDF with ToC etc
- Through fuzzing a NULL ptr deref was found if given crafted input HTML file -> crash -> DoS
[USN-5186-2] Firefox regressions [06:06]
- 10 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- 95.0.1
- WebRender crash on some X11 systems
- Failure to connect to microsoft.com domains
Goings on in Ubuntu Security Community
Seth and John talk Linux Kernel Security with Kees Cook [06:53]
- Seth Arnold and John Johansen from the Ubuntu Security team chat with Kees Cook from Google (KSPP) about Linux kernel hardening and self-protection, including KASLR and FGKASLR, delving into the finer points of linker scripts, kernel address pointer info leaks through debug logs, detecting possible integer overflows in C by relying on undefined behaviour of signed integer wraparound, hardware support for detecting memory corruption and more.