Ubuntu Server 18.04 – Understanding and responding to CVEs

How to Setup a Node.js Application Using PM2

I’ve already mentioned some of the things you can do in order to protect your server from some common threats, and I’ll give you more tips later on in this chapter. But how does one know when there’s a vulnerability that needs to be patched? How do you know when to take action? The best practices I’ll mention in this chapter will only go so far; at some point, there may some sort of security issue that will require you to do something beyond generating a strong password or locking down a port.

The most important thing to do is to keep up with the news. Subscribe to sites that report news on security vulnerabilities, and I’ll even place a few of these in the Further reading section of this chapter. When a security flaw is revealed, it’s typically reported on these sites, and given a CVE number where security researchers will document their findings.

CVEs, or Common Vulnerabilities and Exposures, is a special online catalog detailing security vulnerabilities and their related information. In fact, many Linux distributions (Ubuntu included) maintain their own CVE catalogs with vulnerabilities specific to their platform. On such a page, you can see which CVEs the version of your distribution is vulnerable to, have been responded to, and what updates to install in order to address them.

Often, when a security vulnerability is discovered, it will receive a CVE identification right away, even before mitigation techniques are known. In my case, I’ll often watch a CVE page for a flaw when one is discovered, and look for it to be updated with information on how to mitigate it once that’s determined. Most often, closing the hole will involve installing a security update, which the security team for Ubuntu will create to address the flaw. In some cases, the new update will require restarting the server or at least a running service, which means I may have to wait for a maintenance period to perform the mitigation.

I recommend taking a look at the Ubuntu CVE tracker, available at https://people.canonical.com/~ubuntu-security/cve/.

On this site, Canonical (the makers of Ubuntu) keep information regarding CVEs that affect the Ubuntu platform. There, you can get a list of vulnerabilities that are known to the platform as well as the steps required to address them. There’s no one rule about securing your server, but paying attention to CVEs is a good place to start. We’ll go over installing security updates in the next section, which is the most common method of mitigation.

Comments are closed.