Is this apt vulnerability (CVE-2019-3462) a security concern for Ubuntu users?
I am new to Ubuntu server. I found this post about a vulnerability in Debian's APT. Do you think this issue has been resolved?
-
A vulnerability in Debian’s apt allows for easy lateral movement in data centers
On January 22nd, Max Justicz published a write up detailing a vulnerability in the apt client. Using Man in the Middle techniques, an attacker can intercept the apt communication while it downloads a software package, replace the requested package content with their own binary, and execute it with root privileges.
-
Remote Code Execution in apt/apt-get - Max Justicz
I found a vulnerability in apt that allows a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code as root on a machine installing any package. The bug has been fixed in the latest versions of apt. If you’re worried about being exploited during the update process, you can protect yourself by disabling HTTP redirects while you update.
Solution 1:
I opened a link you provided to grab the CVE number, then looked using a search engine for details
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3462.html
> Ubuntu 12.04 ESM (Precise Pangolin): released > (0.8.16~exp12ubuntu10.28) > Ubuntu 14.04 LTS (Trusty Tahr): released > (1.0.1ubuntu2.19) Ubuntu 16.04 LTS (Xenial Xerus): released > (1.2.29ubuntu0.1) Ubuntu 18.04 LTS (Bionic Beaver): released > (1.6.6ubuntu0.1) Ubuntu 18.10 (Cosmic Cuttlefish): released > (1.7.0ubuntu0.1) Ubuntu 19.04 (Disco Dingo): released (1.8.0~alpha3.1)
As long as you have the packages listed as containing the fix you'll be fine. For more details, check Ubuntu security notes.
Solution 2:
Yes, it's definitely fixed.
The best way to track security issues is using a CVE number. That's what CVE numbers are for. In this case, you seem to be worried about CVE-2019-3462
CVEs may have more than one related bug report. You can find all the bugs for this particular CVE at https://bugs.launchpad.net/bugs/cve/2019-3462. The bug tracker will tell you which bugs are fixed in which releases of Ubuntu, and when the fixes were uploaded.
After fixing this particular CVE, the Ubuntu Security Team talked about this issue and the fix in their podcast of 29 January 2019. It's brief, and worth a listen.
Solution 3:
When speaking of security vulnerabilities, the so-called CVE number is used across the entire industry to refer to a specific vulnerability. Everyone who responds to the vulnerability, regardless of Linux distribution, will use the same CVE number to refer to it.
In the articles you referenced, the CVE number was shown: CVE-2019-3462
Once you have the CVE number for any security issue, you can look it up in the Ubuntu CVE Tracker to find its current status in Ubuntu, including:
- A description of the vulnerability
- Links to Ubuntu Security Notices for the vulnerability, if available
- The status of the vulnerability in each supported Ubuntu distribution
- Package version numbers of fixed packages, when they become available
- External links to information about the vulnerability
When the status for your distribution shows as "released" then a package with the fix is ready to download, and should be available after the next time you run sudo apt update
.
To check the version of a package that you have installed, you can use dpkg -s
. For example:
error@vmtest-ubuntu1804:~$ dpkg -s apt | grep ^Version
Version: 1.6.10