Vulnerability management tools in Ubuntu

Ubuntu provides tools and features to facilitate the implementation of a robust vulnerability management process, central to any information security strategy – from oversight of software vulnerabilities to remediation via security updates released for stable software versions.

Why vulnerability management?

Software vulnerabilities are a fact of life, with tens of thousands of CVE IDs allocated on a yearly basis. Full visibility and swift response times are necessary to maintain your systems’ security posture, whether it’s desktops, servers deployed in datacenters or containerized cloud-native applications.

Vulnerability management is a critical part of reducing cybersecurity risks by ensuring that software updates delivered through your patch management strategy are prioritized according to the impact they can have and the importance of the assets affected.

Read our introductory guide ›

Implementing reliable processes

Information security standards and regulations require the establishment of proportional timelines for the remediation of vulnerabilities – this is key to prioritizing the management of the most critical risks. False positives increase costs unnecessarily, while false negatives provide a false sense of security. Let's explore how Ubuntu helps you implement reliable vulnerability management processes.

Identification

Ubuntu provides tools and data feeds to accurately identify both fixed and vulnerable software. Ubuntu LTS releases provide backported security patches to stable software versions – this means vulnerabilities are fixed without changing your environment's expected behavior. This could lead to vulnerability scanners generating false positive alarms if they naively assume a fix is only available in the latest version from the upstream supplier.

Reducing false positives is one of the goals of the collaboration with vulnerability scanning vendors through the Ubuntu Security Research Alliance Program.

Classification

Not all vulnerabilities are created equal. The Common Vulnerability Scoring System (CVSS) is a common system for classification, used across the industry. The Ubuntu CVE Priority offers an additional layer of information that takes characteristics of Ubuntu deployments into account. The Ubuntu Security Team considers both when prioritizing fixes, in addition to the Exploit Prediction Scoring System (EPSS) and the Known Exploited Vulnerabilities (KEV) catalog.

Remediation

Security updates for all supported releases, including those receiving security maintenance with an Ubuntu Pro subscription, are distributed through a unified channel, offering strong integrity protections and simple operation. Vulnerability fixes can be applied automatically with the unattended upgrades feature, enabled by default on standard installation. Kernel security patches can be delivered via Livepatch Service, without the need for system downtime (available with Ubuntu Pro).

Open data feeds compatible with all tools

Canonical provides up-to-date information about the status of vulnerabilities in all Ubuntu software. This is distributed in standard machine-readable formats that are supported by third-party tools:

OVAL, the most common enterprise vulnerability data format
OSV, the standard designed for open source
VEX, the schema that introduced exploitability nuance

Prompt notifications and expert advice

Ubuntu users can choose between several channels that enable them to stay on top of newly-disclosed vulnerabilities. Integration of security notices and CVE information with data feeds allows for instant automated response.

Ubuntu Security Notices (USNs)

USNs are released whenever the Ubuntu Security Team makes security updates available, referencing the fixed versions and the addressed CVEs, alongside a summary that aids in triage processes.

CVE Reports

The shared language of CVEs is augmented with Ubuntu-specific context in CVE Reports. All publicly-disclosed vulnerabilities tracked by the Ubuntu Security Team are referenced in this database.

Vulnerability Knowledge Base

High-impact vulnerabilities receive in-depth descriptions and guidance to help shape operational response. These are aggregated and freely available in the Vulnerability Knowledge Base.

Partnerships with
scanning vendors

Canonical has launched the Ubuntu Security Research Alliance Program in order to promote the transparency, standardization and accuracy of vulnerability data generated by third-party scanning software.

Working alongside scanning vendors, the goal is to promote a strong security posture for Ubuntu users, by reducing inaccurate scan results that either increase costs or unnecessarily prolong exposure.

Read about the Ubuntu Security Research Alliance Program ›

Ubuntu supports stable remediation

Long term support for up to 12 years
Security patches backported to stable versions for dependability
Unattended security updates enabled on default installations
Dependency management reduces the risk of incompatibilities
Predictable release schedule for kernel security patches
Livepatch service delivers kernel security updates to running systems, reducing reboot frequency

A leading game developer chose Ubuntu Pro to secure code dependencies and avoid costly migration.

Read the full case study ›

Scaling up with Ubuntu Pro

Ubuntu Pro expands the strong security foundation of Ubuntu with features and services that support scalability across large and diverse computing estates.

Explore Ubuntu Pro

Expanded Security Maintenance

ESM delivers security patches to Ubuntu LTS releases for up to 12 years, reducing the operational burden across heterogenous deployments.

Livepatch service

Livepatch reduces the need for maintenance windows and cuts the exploitability interval by distributing Linux kernel security patches to running systems.

Landscape

Whether self-hosted, a managed solution or deployed via SaaS, Landscape provides the tools necessary for auditing, visibility and to automate vulnerability management processes across any number of systems.