Ubuntu 16.04 LTS transitions to Extended Security Maintenance (ESM)
Tags: ESM , Extended Security Maintenance , LTS , Security , Ubuntu 16.04 , Xenial Xerus
This article was updated in September 2021 to reflect the new lifecycle of 16.04.
Ubuntu 16.04 LTS ‘Xenial Xerus’ transitions into the extended security maintenance (ESM) support phase at the end of April 2021 from its standard, five-year maintenance window for Ubuntu long term support (LTS) releases. Xenial Xerus is still supported until April 2026 with Extended Security Maintenance (ESM) through Ubuntu Advantage for Infrastructure, and on the public cloud with Ubuntu Pro for AWS, Azure and Google Cloud. ESM is also available to personal users on up to three machines and Ubuntu members on 50 machines. Ubuntu 16.04 is a Common Criteria certified operating system, providing access to FIPS 140-2 certified cryptographic modules with a solid history of timely security fixes.
Ubuntu long term support (LTS) releases provide a stable, enterprise platform for development and production, with five years of guaranteed public maintenance available. Once the public Standard Security Maintenance window comes to a close, Ubuntu LTS releases have an additional five years of support (depending upon the release) through ESM, in addition to providing a built-in upgrade in-place path to the next LTS release.
Access to ESM extends the LTS release coverage, allowing for continued security fixes for high and critical common vulnerabilities and exposures (CVEs) for the packages in the Ubuntu ‘main’ and ‘restricted’ archives for x86-64 architectures. This access permits organizations with workloads running on Ubuntu LTS releases to maintain compliance standards by providing a secure environment before upgrading can occur.
For users who need access to ESM, or have questions about this service, please refer to the questions below. Do not hesitate to get in touch with our team to discuss any additional questions on ESM for Ubuntu 16.04.
How can I access ESM?
You can access ESM with Ubuntu Pro on public cloud platforms, as well as with Ubuntu Advantage. If you are an Ubuntu Advantage customer and need access to the ESM repository, credentials can be found by clicking on the ESM block of your subscription in the Ubuntu Advantage portal. No actions are necessary with Ubuntu Pro to enable ESM.
If you are not a UA Infrastructure customer and need access to ESM, please get in touch with our team to learn more and enable ESM for your Ubuntu 16.04 systems.
Do I need Extended Security Maintenance?
Transitioning to the latest operating system, although important due to performance, hardware enablement as well as new technology enablement benefits, is a complex process for existing deployments. There are multiple deployment strategies and infrastructure options (Canonical Openstack, Charmed Kubernetes or bare-metal), and depending on their usage and the policies in place can reduce specific risks such as downtime during upgrade, but there are certain common challenges.
Typically enterprise solutions combine software from a variety of teams within an organization, in most cases there is an extended supply chain, involving software from 3rd party vendors, who in turn may have their own software vendors. Such complex scenarios result in a dependency on software stacks (e.g., Java, python) that have certain properties in the upgraded system that either got deprecated, replaced or slightly changed behavior in the newer system. The upgrade process in that case becomes a change management process involving risk analysis, stakeholder communication and possibly the upgrade of existing solutions, in addition to the actual operating system upgrade. That is even more challenging if you are in a heavily-regulated industry where the compliance process to meet the regulatory requirements, such as PCI-DSS, SOC2 and GDPR, would result in additional planning and implementation.
In these cases when the operational stability and security patching continuity of the already deployed systems is paramount, Ubuntu ESM reduces the risk of security incidents due to important and critical vulnerabilities. That way, by enrolling your systems onto the ESM lifecycle, you get the necessary time to roll out an upgrade plan, and extending the life of your existing deployments and hardware to the maximum supported by the deployed Ubuntu LTS system.
Additional reasons and industry requirements for ESM include the below:
- Legacy software maintenance – Irrespective of your software deployment method (containers, virtual machines or not bare metal), if your organisation is running legacy software that requires older libraries and packages that can not be re-engineered and therefore upgraded
- Hardware requirements – If your organisation has device software built on one version, in HDI or SCADA environments as an example, and are unable to be upgraded until testing can take place, commonly seen with the healthcare industry
- Long-term deployments – If your organisation has long-term deployments, typically common in telecommunications
What is covered by Ubuntu 16.04 ESM?
The Extended Security Maintenance phase of Ubuntu provides security updates including Linux kernel Livepatching for high and critical CVEs (Common Vulnerabilities and Exposures), in the Ubuntu base OS and scale-out infrastructure (Ceph, Openstack, see more detailed information), on the 64-bit x86 architectures.
How can I enable Ubuntu 16.04 ESM?
# Note that the following steps are not necessary in Ubuntu Pro # Install the latest UA client $ sudo apt update $ sudo apt install ubuntu-advantage-tools # Use the client to attach this machine to your contract using your UA token $ sudo ua attach <token> # Ensure ESM-infra is enabled as well: $ sudo ua enable esm-infra $ sudo apt update $ sudo apt upgrade
When performing the tasks above in a container, we recommend to remove the subscription credentials from them. This can be done by running ‘ua detach’.
How long will Ubuntu 16.04 ESM be supported?
Ubuntu 16.04 LTS ‘Xenial Xerus’ will be supported until April 2026 through Ubuntu Advantage ESM offer.
Is it time to upgrade?
It is recommended for all users to upgrade to the latest LTS release, Ubuntu 20.04. This release has significantly faster boot times, is built on the 5.4 kernel, supports Secure Boot to protect against low-level attacks and rootkits, applies Kernel Self Protection measures, assures control flow integrity and adds stack-clash protection for systemic forward-looking enterprise security.
There are three easy ways to in-place upgrade your systems –
1. Use the GUI by clicking the Software & Updates icon
2. Via the Release upgrades feature of Landscape, the cloud-management platform for Ubuntu machines
3. Input the below in the command line:
$ sudo do-release-upgrade
For those using 16.04 who cannot upgrade, or who are planning to upgrade in the near future, it is recommended to subscribe to ESM through the UA Infrastructure to not increase their risk of data compromise incidents due to unpatched vulnerabilities.
Can I use ESM for personal use?
Yes, individuals can access ESM through a free subscription. The free subscription allows for up to 3 machines and up to 50 for Ubuntu community members.
What are the risks without ESM?
Security vulnerabilities that remain unpatched form an attack vector, that results in increased risk for the availability, confidentiality and the integrity of your data, and ultimately a risk with impact on your business continuity plan. Even if you are not operating in a regulated environment such as the finance, healthcare and telco industries, we strongly recommend to consider the available options ranging from upgrading to the latest Ubuntu LTS, to the Extended Maintenance Support to mitigate the risks and operational costs that come from unidentified and unpatched vulnerabilities. Although threats and vulnerabilities change, some risks endure; check our reflections on the vulnerabilities identified and addressed during the Ubuntu 14.04 lifecycle on this post
Extended Security Maintenance (ESM) for Ubuntu 16.04 Xenial Xerus includes security patches for high and critical vulnerabilities for an additional five years of coverage and is available through an Ubuntu Advantage for Infrastructure subscription. For more information, please visit ubuntu.com/esm and reach out with any questions.