OpenSCAP and OVAL Data Initialization
Security vulnerability assessment on Ubuntu 22.04 LTS can be performed using OpenSCAP with Canonical's official OVAL datasets. The following script dynamically fetches the USN and CVE oval data for the current distribution release, decompresses the archives, and generates HTML evaluation reports:
DISTRO_CODENAME=$(lsb_release -cs)
BASE_URL="https://security-metadata.canonical.com/oval"
perform_scan() {
local scan_type=$1
local xml_file="com.ubuntu.${DISTRO_CODENAME}.${scan_type}.oval.xml"
local compressed_file="${xml_file}.bz2"
local output_report="scan_report_${scan_type}.html"
wget -q "${BASE_URL}/${compressed_file}"
bunzip2 "${compressed_file}"
oscap oval eval --report "${output_report}" "${xml_file}"
}
perform_scan "usn"
perform_scan "cve"
Initial execution yielded 171 CVE vulnerabilities and 11 USN vulnerabilities.
Standard Remediation and Held Package Investigation
Initial remediation involved applying standard system updates:
sudo apt-get update -y
sudo apt-get upgrade -y
sudo apt-get dist-upgrade -y
Post-update scanning reduced CVEs to 151 and USNs to 3. The minimal reduction indicated underlying configuration constraints. Verifying upgradable packages revealed several components stuck in a pending state:
apt list --upgradable 2>/dev/null | grep -v "^Listing"
Executing apt-mark showhold confirmed that core kernel packages (alongside Docker components) were explicitly locked to prevent automatic updates:
sudo apt-mark showhold | grep -E 'linux-(generic|headers|image)' | while read -r pkg; do sudo apt-mark unhold "$pkg"; done
With the hold constraints removed, a distribution upgrade successfully pulled the new kernel versions. However, a subsequent scan showed no change in vulnerability counts. Further inspection revealed five specific packages remained unupgraded:
sudo apt-get install --only-upgrade python3-update-manager ubuntu-minimal ubuntu-server ubuntu-standard update-manager-core
Applying this targeted update brought counts down to 127 CVEs and 2 USNs. A dry run of unattended upgrades yielded no pending security patches, indicating standard repository patches were exhausted.
Investigating the Unsupported Kernel
To investigate the remaining 127 CVEs, Canonical Livepatch was deployed to check kernel coverage:
sudo snap install canonical-livepatch
sudo canonical-livepatch enable ${LIVEPATCH_TOKEN}
sudo canonical-livepatch status --verbose
The status output revealed: kernel state: ✗ kernel is not covered by Livepatch. Inspecting the active kernel version showed 6.6.16-060616-generic, an unsigned mainline kernel manually downloaded from kernel.org. This manual upgrade was initially performed to mitigate CVE-2024-1086, but Canonical's official security bulletin confirms this specific CVE was already resolved within the standard 5.15.0 kernel branch, rendering the custom mainline kernel unnecessary and unsupported.
Kernel Downgrade Procedure
Downgrading to the supported 5.15.x series required identifying available installed kernels, updating the initramfs, and modifying the GRUB bootloader:
# List installed kernel images
dpkg-query -l 'linux-image-*' | grep '^ii'
# Reconfigure initramfs for the target kernel
sudo update-initramfs -c -k 5.15.0-113-generic
# Refresh GRUB configuration
sudo update-grub
The unsupported mainline kernel was then explicitly removed:
sudo dpkg --remove linux-image-unsigned-6.6.16-060616-generic
sudo dpkg --purge linux-image-unsigned-6.6.16-060616-generic
Upon reboot, the system successfully loaded the standard 5.15.0-113-generic kernel.
Final Assessment
After completing the kernel downgrade and re-applying full system updates, an unexpected result occurred during the final OpenSCAP scan: the CVE count surged from 127 to 1010. Analysis of the generated report indicated these represent vulnerabilities Canonical has acknowledged but are currently in a 'pending' state of patch development, predominantly categorized as low severity.
Despite the increased CVE count, the kernel downgrade enabled successful integration with Livepatch:
sudo canonical-livepatch status --verbose
The status now confirmed: kernel state: ✓ kernel series 5.15 is covered by Livepatch. This ensures the system receives immediate, rebootless kernel security patches moving forward.