January 06, 2022

Episode 145

56 minutes

Overview

The Ubuntu Security Podcast is back for 2022 and we’re starting off the

year with a bang💥! This week we bring you a special interview with Kees

Cook of Google and the Linux Kernel Self Protection Project discussing

Linux kernel hardening upstream developments. Plus we look at security

updates for Mumble, Apache Log4j2, OpenJDK and more.

This week in Ubuntu Security Updates

31 unique CVEs addressed

[USN-5195-1] Mumble vulnerability [01:02]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-27229

Low-latency VoIP client - client / server model

Client picks a server to connect to from public server list

Malicious actor could register a server with a web URL that uses some

other protocol - e.g. smb to then refer to a .desktop file

When user chose the option to ‘Open Webpage’ for that server, would

automatically fetch and execute via underlying Qt framework libraries

QDesktopServices::openUrl function

Fixed to check URI scheme and only open if is http/https

Wonder if this kind of vuln may be seen in other applications?

[USN-5192-2] Apache Log4j 2 vulnerability [02:13]

1 CVEs addressed in Xenial ESM (16.04 ESM)

CVE-2021-44228

Log4j2 update for 16.04 ESM - see Episode 142

[USN-5203-1] Apache Log4j 2 vulnerability

1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)

CVE-2021-45105

More Log4j2 vulns - possible to crash applications using log4j2 by

specifying a crafted string that would get logged which would then cause

infinite recursion when doing lookup evaluation

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Log4Shell

[USN-5202-1] OpenJDK vulnerabilities [03:13]

14 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)

CVE-2021-35603

CVE-2021-35588

CVE-2021-35586

CVE-2021-35578

CVE-2021-35567

CVE-2021-35565

CVE-2021-35564

CVE-2021-35561

CVE-2021-35559

CVE-2021-35556

CVE-2021-35550

CVE-2021-2388

CVE-2021-2369

CVE-2021-2341

Mix of issues resolved with this latest point release update for

openjdk-8 and openjdk-11

Info leak via FTP client impl when connecting to malicious FTP server

Mishandling of JARs with multiple manifests -> signature verification bypass

Sandbox escape via crafted Java class

Use of weak crypto ciphers by default -> info leak

DoS via malicious RTF, BMP or class files

and more…

[USN-5199-1, USN-5200-1, USN-5201-1] Python vulnerabilities [04:26]

1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04) for Python 3.8/3.9

CVE-2021-3737

2 CVEs addressed in Bionic (18.04 LTS) for Python 3.6

CVE-2021-3737

CVE-2021-3733

3 CVEs addressed in Bionic (18.04 LTS) for Python 3.7/3.8

CVE-2021-3737

CVE-2021-3733

CVE-2020-8492

3 different DoS via urllib http client

infinite loop when handling 100 Continue responses - malicious HTTP

server could cause a DoS against clients - affects all

ReDoS due to quadratic complexity regex in basic auth handling - only

affects Python 3.6->3.8 in Ubuntu 18.04

Similar but different ReDos in basic auth handling - only affects

Python 3.7/3.8 in Ubuntu 18.04

[USN-5198-1] HTMLDOC vulnerability [05:37]

1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)

CVE-2021-23180

Used to covert HTML/Markdown files to generate EPUB/HTML/PS/PDF with ToC

etc

Through fuzzing a NULL ptr deref was found if given crafted input HTML

file -> crash -> DoS

[USN-5186-2] Firefox regressions [06:06]

10 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)

CVE-2021-43540

CVE-2021-43546

CVE-2021-43545

CVE-2021-43543

CVE-2021-43542

CVE-2021-43541

CVE-2021-43539

CVE-2021-43538

CVE-2021-43537

CVE-2021-43536

95.0.1

WebRender crash on some X11 systems

Failure to connect to microsoft.com domains

Goings on in Ubuntu Security Community

Seth and John talk Linux Kernel Security with Kees Cook [06:53]

Seth Arnold and John Johansen from the Ubuntu Security team chat with

Kees Cook from Google (KSPP) about Linux kernel hardening and

self-protection, including KASLR and FGKASLR, delving into the finer

points of linker scripts, kernel address pointer info leaks through debug

logs, detecting possible integer overflows in C by relying on undefined

behaviour of signed integer wraparound, hardware support for detecting

memory corruption and more.

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

January 06, 2022

Episode 145

56 minutes

Overview

The Ubuntu Security Podcast is back for 2022 and we’re starting off the

year with a bang💥! This week we bring you a special interview with Kees

Cook of Google and the Linux Kernel Self Protection Project discussing

Linux kernel hardening upstream developments. Plus we look at security

updates for Mumble, Apache Log4j2, OpenJDK and more.

This week in Ubuntu Security Updates

31 unique CVEs addressed

[USN-5195-1] Mumble vulnerability [01:02]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-27229

Low-latency VoIP client - client / server model

Client picks a server to connect to from public server list

Malicious actor could register a server with a web URL that uses some

other protocol - e.g. smb to then refer to a .desktop file

When user chose the option to ‘Open Webpage’ for that server, would

automatically fetch and execute via underlying Qt framework libraries

QDesktopServices::openUrl function

Fixed to check URI scheme and only open if is http/https

Wonder if this kind of vuln may be seen in other applications?

[USN-5192-2] Apache Log4j 2 vulnerability [02:13]

1 CVEs addressed in Xenial ESM (16.04 ESM)

CVE-2021-44228

Log4j2 update for 16.04 ESM - see Episode 142

[USN-5203-1] Apache Log4j 2 vulnerability

1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)

CVE-2021-45105

More Log4j2 vulns - possible to crash applications using log4j2 by

specifying a crafted string that would get logged which would then cause

infinite recursion when doing lookup evaluation

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Log4Shell

[USN-5202-1] OpenJDK vulnerabilities [03:13]

14 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)

CVE-2021-35603

CVE-2021-35588

CVE-2021-35586

CVE-2021-35578

CVE-2021-35567

CVE-2021-35565

CVE-2021-35564

CVE-2021-35561

CVE-2021-35559

CVE-2021-35556

CVE-2021-35550

CVE-2021-2388

CVE-2021-2369

CVE-2021-2341

Mix of issues resolved with this latest point release update for

openjdk-8 and openjdk-11

Info leak via FTP client impl when connecting to malicious FTP server

Mishandling of JARs with multiple manifests -> signature verification bypass

Sandbox escape via crafted Java class

Use of weak crypto ciphers by default -> info leak

DoS via malicious RTF, BMP or class files

and more…

[USN-5199-1, USN-5200-1, USN-5201-1] Python vulnerabilities [04:26]

1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04) for Python 3.8/3.9

CVE-2021-3737

2 CVEs addressed in Bionic (18.04 LTS) for Python 3.6

CVE-2021-3737

CVE-2021-3733

3 CVEs addressed in Bionic (18.04 LTS) for Python 3.7/3.8

CVE-2021-3737

CVE-2021-3733

CVE-2020-8492

3 different DoS via urllib http client

infinite loop when handling 100 Continue responses - malicious HTTP

server could cause a DoS against clients - affects all

ReDoS due to quadratic complexity regex in basic auth handling - only

affects Python 3.6->3.8 in Ubuntu 18.04

Similar but different ReDos in basic auth handling - only affects

Python 3.7/3.8 in Ubuntu 18.04

[USN-5198-1] HTMLDOC vulnerability [05:37]

1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)

CVE-2021-23180

Used to covert HTML/Markdown files to generate EPUB/HTML/PS/PDF with ToC

etc

Through fuzzing a NULL ptr deref was found if given crafted input HTML

file -> crash -> DoS

[USN-5186-2] Firefox regressions [06:06]

10 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)

CVE-2021-43540

CVE-2021-43546

CVE-2021-43545

CVE-2021-43543

CVE-2021-43542

CVE-2021-43541

CVE-2021-43539

CVE-2021-43538

CVE-2021-43537

CVE-2021-43536

95.0.1

WebRender crash on some X11 systems

Failure to connect to microsoft.com domains

Goings on in Ubuntu Security Community

Seth and John talk Linux Kernel Security with Kees Cook [06:53]

Seth Arnold and John Johansen from the Ubuntu Security team chat with

Kees Cook from Google (KSPP) about Linux kernel hardening and

self-protection, including KASLR and FGKASLR, delving into the finer

points of linker scripts, kernel address pointer info leaks through debug

logs, detecting possible integer overflows in C by relying on undefined

behaviour of signed integer wraparound, hardware support for detecting

memory corruption and more.

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

Share Episode 145

Sign up to save your podcasts

Episode 145

Episode 145