Test and deploy individual CVE fixes with Pro Client and Landscape

In this tutorial, you will learn how to perform a phased rollout of individual CVE fixes. The typical use case is deploying a CVE patch in a development environment, and if the patch does not disrupt the workloads, deploy it in an identical manner in the production environment.

To complete this tutorial, you will use Landscape’s dashboard and the latest version of Pro Client, a command-line utility included in the ubuntu-advantage-tools package.

Beyond CVE patching, Pro Client also provides you with a simple mechanism to view, enable, and disable offerings from Canonical on your system. Pro Client produces machine readable outputs and integrates with other Canonical or third-party tooling. Beyond CVE patching, Pro Client can enable Ubuntu Pro services like Ubuntu Security Guide (USG), Extended Security Maintenance (ESM), FIPS, Livepatch, and more.

Landscape is Canonical’s systems management and monitoring solution. Landscape enables you to divide your Ubuntu estate into cross sections by tags, groups, annotations, and search queries, which can also filter hardware and software metadata. These cross-sections, regardless of size, can be reconfigured as easily as one machine.

We will compose interactions with Pro Client into a Landscape-aware shell script, and apply patches for individual CVEs to any selection of machines in your fleet. Pro Client’s CVE patch success and failure outputs are captured in Landscape’s Activity Monitor and Event Log.

To complete this tutorial, you will need:

• A machine running Ubuntu with ubuntu-advantage-tools installed
• Landscape Client installed and registered with either Landscape on-prem or Landscape SaaS
• Landscape Client that is allowed to remotely execute scripts with root privileges

Configure Landscape

The Landscape quickstart deployment guide offers the shortest path to a functional Landscape Server instance and enrolling a machine to be managed by Landscape with Landscape Client. Signing up for Landscape SaaS eliminates the server installation step, and relieves you of any maintenance activities to keep Landscape up to date.

The Landscape Client steps from the quickstart deployment guide are accurate for both Landscape SaaS and Landscape on-premises users. During installation, Landscape Client will request permission for executing scripts remotely for all users.

Landscape has a feature which enables administrators to run
arbitrary scripts on machines under their control. By default this
feature is disabled in the client, disallowing any arbitrary script
execution. If enabled, the set of users that scripts may run as is
also configurable.

Enable script execution? [y/N]:

Answering yes to this Enable script execution question is required for this tutorial to work successfully.

By default, scripts are restricted to the 'landscape' and
'nobody' users. Please enter a comma-delimited list of users
that scripts will be restricted to. To allow scripts to be run
by any user, enter "ALL".

Script users: ALL

Answering ALL to the Script users prompt is necessary to complete this tutorial. To be maximally useful, Landscape Client should be able to execute scripts with elevated privileges (such as root) on an as-needed basis.

Applying security patches for CVEs with known solutions on Ubuntu is simple, replace CVE-YYYY-XXXX with a valid CVE ID:

sudo pro fix CVE-YYYY-XXXX

If a machine is vulnerable to a CVE and if Canonical has published a patch for it, it will be applied. The output in your terminal will resemble this snippet:

CVE-YYYY-XXXX: description of CVE
https://myasnchisdf.eu.org/security/CVE-YYYY-XXXX
# of affected installed packages: listed here
(1/N) packageName:
A fix is available in Ubuntu standard updates.
{ apt update && apt install --only-upgrade -y packageName }
CVE-YYYY-XXXX is resolved.

If a vulnerability has already been patched, the Pro Client will always reliably state the CVE is resolved, and terminate with a successful exit code. If a CVE has not been patched, Pro Client will state “Ubuntu security engineers are investigating this issue.” and mention the CVE “is not resolved”. These outputs can be parsed by third party tools, and by Landscape.

When logging into the Landscape dashboard, the secondary navigation for Scripts takes you to the central place within Landscape where shell scripts are organised. Once there, click Add Script.

The same CVE ID should be used in the Title and Code, to prevent confusion as Actions and Events get logged in Landscape.

Add an example “pro fix CVE-2021-4034” script

Title: pro fix CVE-2021-4034

Code:

#!/bin/bash
pro fix CVE-2021-4034

Run as user: root

Time limit (seconds): 300

Access group: Global access

Run the example “pro fix CVE-2021-4034” script

1. Within the Landscape dashboard, click Computers in the primary navigation.
2. Select all the computers whose ESM configuration needs to be identified.
3. Click Scripts in the secondary navigation menu
4. Click the pro fix CVE-2021-4034 radio button, then click Next
5. Confirm the script reads correctly, choose when you want the script to be delivered, and click Run

Pro Client will be queued to perform the fix, within Landscape.

Without requiring a page refresh, the status will reflect “In Progress” while the CVE is actively being patched on a specific machine. Once the fix has been successfully applied, Landscape will report the status of the patch.

Landscape reports patch failures

If you attempt to apply a patch that doesn’t exist, or if Pro Client is unable to patch a CVE for any other reason, Landscape will report the failed patch attempt.

Clicking the word Failed will reveal the output in the command line, to provide further insight as to why the patch failed.

Congratulations! Your Landscape dashboard is reporting the outcomes of individual CVE fixes applied through Pro Client on any machine in your fleet. You now have a predictable and uniform method for applying CVE fixes anywhere in your Ubuntu estate.