With the news of an imminent 9.9 CVE on Linux servers, we have been busy ensuring our customer servers are protected.
The CVE is related to the CUPS printing system, which is not installed by default on Ubuntu servers. The CUPS printing system is a service that allows you to print from your machine to a printer. Although it is not a service that is required by most servers (servers usually are not connected to printers) our investigation showed that the CUPS service was installed on servers that had Ubuntu Snap packages installed.
As our customers deploy their applications to thousands of servers across 9 cloud providers, we ran some investigation to see the extent of this issue. Here is what we found:
- 1% of all servers had the CUPS service installed and enabled.
- Due to our firewall rules, none of the affected servers had CUPs ports exposed. However the details of this CVE is still not public and it is not clear if the vulnerability can be exploited without the ports being exposed.
- 1% of all server had the CUPS service installed but disabled.
- All affected servers had Ubuntu Chromium Snap packages installed.
Although we do not install Snap as part of a standard Cloud 66 deployment, some customers install Snap packages as part of their application deployment. To ensure that our customers are protected, we have now disabled cups
snap and cups-browsed
systemd services on all affected servers.