Your submission was sent successfully! Close

Jump to main content
  1. Blog
  2. Article

Alex Murray
on 20 July 2023

According to a recent study, 96% of applications in the enterprise market use open-source software. As the open source landscape becomes more and more fragmented, the task to assess the impact of potential security vulnerabilities for an organisation can become overwhelming. Ubuntu is known as one of the most secure operating systems, but why? Ubuntu is a leader in security because, every day, the Ubuntu Security team is fixing and releasing updated software packages for known vulnerabilities. In fact, on average, the team is providing more than 3 updates each day, and the most vital updates are prepared, tested and released within 24 hours. To achieve that result, Canonical designed a robust process to review, prioritise and fix the most crucial software vulnerabilities first. Software vulnerabilities are tracked as part of the Common Vulnerabilities and Exposures (CVE) system, and almost all security updates published by the Ubuntu Security team (via Ubuntu Security Notices – USNs) are in response to a given public CVE. 

The robust triage process

The Ubuntu Security team manages their own CVE database to track various CVEs against the software packages within the Ubuntu archive. As part of this process, each day the team triages the latest public vulnerabilities from various sources, including MITRE, NIST NVD and others. This triage process involves assessing every single new publicly announced CVE and determining which (if any) software packages in Ubuntu may be affected, collecting any information required for patching the package (including upstream patches) and noting any potential mitigations for the vulnerability. Once CVEs are triaged against the applicable software packages, they are assigned a priority, from the range of negligible, low, medium, high and critical. This priority is then used by the Ubuntu Security team to indicate which vulnerabilities should be addressed first.

Security and stability

Providing any changes to software always introduces a risk of triggering a regression in functionality. While Canonical endeavours to test and validate any changes that we make, it is impossible to cover all use cases for every user, and so there is an inherent risk of affecting functionality. Therefore the value gained by fixing any security issue must always be weighed against the risk of possible regression that is introduced. This balancing act is more of an art than a science, and it is hard to capture clear rules, but in particular for low or medium priority vulnerabilities, the risk of regression needs to be considered very carefully. Factors such as the age of the code, the difference in the code structure for backports, the range of functionality affected, and the user base of the package are all taken into account. This way Canonical aims to provide the most secure and stable platform possible to all Ubuntu users.

Extended CVE review 

A common method for assessing the severity of CVEs is the Common Vulnerability Scoring System (CVSS). This is designed to provide a numerical value for the severity of a particular vulnerability, and to allow these to be compared between vulnerabilities. The CVSS score for a given CVE is calculated using a number of inputs, and whilst this allows various aspects of the vulnerability to be considered, it does not capture the risk presented by a given vulnerability. In particular, whilst CVSS was designed to assess the technical severity of a vulnerability, it is often misused instead as means of vulnerability prioritisation or risk assessment. In particular, there are many aspects that are important to consider for a given vulnerability which are not captured by CVSS, including the likelihood that the given software package is installed or in use, whether the default configuration of a package may mitigate the vulnerability and whether a known exploit against the vulnerability exists. As such, use of CVSS alone to compare and prioritise vulnerabilities can lead to an incomplete risk profile.

CVE Prioritisation done right

In contrast, the priority value assigned by the Ubuntu Security team is designed to capture the varied individual context for each software package in Ubuntu so that it can be used as an effective measure to prioritise security software updates taking into account every Ubuntu instance – including server, desktop, cloud, and IoT. Vulnerabilities which affect the largest number of Ubuntu installations and which present the largest risk (by say being remotely exploitable without any user input, etc.) are prioritised critical or high. Those which affect only a small number of users and might require user-input or might only cause smaller effects such as a denial-of-service may be prioritised as medium, low or negligible. This prioritisation is done on a case-by-case basis for each vulnerability, and since a given vulnerability might apply to more than one package in the Ubuntu archive, this can be assigned further on a vulnerability-per-package basis as well. This ensures that those vulnerabilities which have the highest risk and impact and which are likely to affect the largest number of Ubuntu installations are fixed first, regardless of the given CVSS score, to ensure that the risk of exploitation by known software vulnerabilities is limited as much as possible.

To read more about the priority which is assigned for each vulnerability, as well as the criteria used for each priority assignment, refer to the Ubuntu CVE Tracker

Related posts

26 September 2023

CVE 우선순위 지정을 통한 오픈 소스 보안

Security Security

최근 연구에 따르면 엔터프라이즈 시장의 애플리케이션 중 96%가 오픈 소스 소프트웨어를 사용합니다. 오픈 소스 환경이 점점 더 세분화됨에 따라 조직에 대한 잠재적인 보안 취약점의 영향을 평가하는 작업이 엄청날 수 있습니다. 우분투는 가장 안전한 운영 체제 중 하나로 알려져 있습니다. 하지만 그 이유는 무엇일까요? 우분투 보안팀은 매일 알려진 취약점에 대해 업데이트된 소프트웨어 패키지를 수정하고 릴리스하기 때문에 ...

Aaron Whitehouse
12 September 2023

Ubuntu Explained: How to ensure security and stability in cloud instances—part 1

Cloud and server Article

The LTS philosophy, releases, updates and repositories explained Since we launched Ubuntu Pro’s Expanded Security Maintenance for additional packages, and we now integrate more closely with public cloud update management tools, more people have been asking us about the Ubuntu archive and how this is divided and security patched. In this b ...

5 September 2023

Empowering Australian government innovation: a secure path to open source excellence

AI Security

The Australian Federal Government is not alone in dealing with challenges like natural disasters, global pandemics and economic uncertainty. Like many governments, they are looking for new and innovative ways to tackle these challenges. FST Government 2023 is an exciting conference that brings over 200 government leaders together to explo ...