CVE-2022-40982 is not resolved.

[rjgoverna]

Running Ubuntu 22.04.3 with kernel 6.2.0-35-generic

Output of $ pro fix CVE-2022-40982

CVE-2022-40982: Linux kernel (BlueField) vulnerabilities - https://ubuntu.com/security/CVE-2022-40982

4 affected source packages are installed: intel-microcode, linux, linux-
hwe-5.19, linux-hwe-6.2
(1/4) linux-hwe-5.19:
Sorry, no fix is available.
(2/4, 3/4, 4/4) intel-microcode, linux, linux-hwe-6.2:
A fix is available in Ubuntu standard updates.
The update is already installed.

1 package is still affected: linux-hwe-5.19
✘ CVE-2022-40982 is not resolved.

Tried $ sudo apt remove linux-hwe-5.19 , output is:

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package linux-hwe-5.19
E: Couldn't find any package by glob 'linux-hwe-5.19'

$ apt list --installed | grep linux-image shows:

linux-image-6.2.0-34-generic/jammy-updates,jammy-security,now 6.2.0-34.34~22.04.1 amd64 [installed,automatic]
linux-image-6.2.0-35-generic/jammy-updates,jammy-security,now 6.2.0-35.35~22.04.1 amd64 [installed,automatic]
linux-image-generic-hwe-22.04/jammy-updates,jammy-security,now 6.2.0.35.35~22.04.13 amd64 [installed,automatic]

I'm confused, how do I get rid of linux-hwe-5.19 ?

EDIT: also tried $ sudo apt autoremove , still no go.

[MAFoElffen]

I think you are going to find this instead:

Code:

mafoelffen@Mikes-ThinkPad-T520:~$ apt list linux-hwe* --installed
Listing... Done
linux-hwe-5.13-headers-5.13.0-25/now 5.13.0-25.26~20.04.1 all [installed,local]
linux-hwe-5.19-headers-5.19.0-46/jammy-updates,jammy-updates,jammy-security,jammy-security,now 5.19.0-46.47~22.04.1 all [installed,automatic]
linux-hwe-6.2-headers-6.2.0-32/jammy-updates,jammy-updates,jammy-security,jammy-security,now 6.2.0-32.32~22.04.1 all [installed,automatic]
linux-hwe-6.2-headers-6.2.0-33/jammy-updates,jammy-updates,jammy-security,jammy-security,now 6.2.0-33.33~22.04.1 all [installed,automatic]
mafoelffen@Mikes-ThinkPad-T520:~$ apt list linux-image-generic* --installed
Listing... Done
linux-image-generic-hwe-22.04/jammy-updates,jammy-security,now 6.2.0.33.33~22.04.10 amd64 [installed,automatic]
linux-image-generic/jammy-updates,jammy-security,now 5.15.0.84.81 amd64 [installed,automatic]
mafoelffen@Mikes-ThinkPad-T520:~$ apt list linux-image-*-generic --installed
Listing... Done
linux-image-5.15.0-84-generic/jammy-updates,jammy-security,now 5.15.0-84.93 amd64 [installed,automatic]
linux-image-6.2.0-32-generic/jammy-updates,jammy-security,now 6.2.0-32.32~22.04.1 amd64 [installed,automatic]
linux-image-6.2.0-33-generic/jammy-updates,jammy-security,now 6.2.0-33.33~22.04.1 amd64 [installed,automatic]

As you can see on mine, there is no 5-19.0 active kernel, but the header file for it is still there (for some unknown reason).

Code:

mafoelffen@Mikes-ThinkPad-T520:~$ pro fix CVE-2022-40982
CVE-2022-40982: Linux kernel (BlueField) vulnerabilities
 - https://ubuntu.com/security/CVE-2022-40982

5 affected source packages are installed: intel-microcode, linux, linux-
    hwe-5.13, linux-hwe-5.19, linux-hwe-6.2
(1/5) linux-hwe-5.13:
Source package does not exist on this release.
(2/5) linux-hwe-5.19:
Sorry, no fix is available.
(3/5, 4/5, 5/5) intel-microcode, linux, linux-hwe-6.2:
A fix is available in Ubuntu standard updates.
The update is already installed.

2 packages are still affected: linux-hwe-5.13, linux-hwe-5.19
✘ CVE-2022-40982 is not resolved.

Same result (so far)

Note: I had to remove / purge both packages linux-hwe-5.19-headers-5.19.0-46 & linux-hwe-5.13-headers-5.13.0-25. When I removed just the first, then it said it wasn't resolved because the second was present, so...

Code:

sudo apt remove --purge linux-hwe-5.19-headers-5.19.0-46 linux-hwe-5.13-headers-5.13.0-25

Then

Code:

mafoelffen@Mikes-ThinkPad-T520:~$ pro fix CVE-2022-40982
CVE-2022-40982: Linux kernel (BlueField) vulnerabilities
 - https://ubuntu.com/security/CVE-2022-40982

3 affected source packages are installed: intel-microcode, linux, linux-hwe-6.2
(1/3, 2/3, 3/3) intel-microcode, linux, linux-hwe-6.2:
A fix is available in Ubuntu standard updates.
The update is already installed.

✔ CVE-2022-40982 is resolved.

It was not really a problem, because of those header files, neither had an active kernel installed... But removing them both satisfied the CVE fix 'test'.

[jauntyjackalope2]

interestingly, i've a quite similar situation:

uname -a

HTML Code:

Linux pro 6.5.0-9-generic #9-Ubuntu SMP PREEMPT_DYNAMIC Sat Oct  7 01:35:40 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

23.10 Mantic

An pro fix CVE-2022-40982 gives me an ✘ CVE-2022-40982 is not resolved. as well. Strangely without a specific description of the affected package:

Code:

1 package is still affected: linux

But, when i look up the CVW here: https://ubuntu.com/security/CVE-2022-40982
it is mentioned that the fix is contained with the new version of intel-microcode: mantic Released (3.20230808.1)
And that's the version i seem to have installed:
apt show intel-microcode

Code:

Package: intel-microcode
Version: 3.20230808.1

Any idea's on that? Thank you very much for your help (-:

[rjgoverna]

@MAFoElffen : Yep, that did the trick. Much appreciated!

[MAFoElffen]

@jauntyjackolope2

You are right. Please start a thread of your own here in this section for this. You have what they say is the fix for that.

I would file a bug against intel-microcode and mark it as "affects security"... There is a checkbox for that when you file bug reports. That marks the report as a priority and sends it directly to the security team for them to triage.

Code:

ubuntu-bug intel-microcode

Include the intel-microcode package version, (like you did here), and the pro --fix CVE output showing that it reports the CVE as not fixed.

Please post the details again in the new thread you created in this section, and post the link to that Bug Report so we can follow it.

[1fallen]

Include the intel-microcode package version, (like you did here), and the pro --fix CVE output showing that it reports the CVE as not fixed.

Please post the details again in the new thread you created in this section, and post the link to that Bug Report so we can follow it.

Filed here: snip
Broken link

[MAFoElffen]

@1fallen -- Sent you a PM on this... (You have Mail... LOL)

[1fallen]

Thanks that link is lost?? IJDK.
It may have been linked to 1-18 with the same, "bug/2040112" in Launchpad"
FTR:

Code:

ubuntu-bug intel-microcode

*** Collecting problem information

The collected information can be sent to the developers to improve the
application. This might take a few minutes.
.........................

*** Send problem report to the developers?

After the problem report has been sent, please fill out the form in the
automatically opened web browser.

What would you like to do? Your options are:
  S: Send report (4.0 KB)
  V: View report
  K: Keep report file for sending later or copying to somewhere else
  I: Cancel and ignore future crashes of this program version
  C: Cancel
Please choose (S/V/K/I/C): S

*** Uploading problem information

The collected information is being sent to the bug tracking system.
This might take a few minutes.
99.07394609536973%

*** To continue, you must visit the following URL:

  https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+filebug/1fc5d138-70fb-11ee-85a7-c7116d9f638e?

You can launch a browser now, or copy this URL into a browser on another computer.


Choices:
  1: Launch a browser now
  C: Cancel
Please choose (1/C): 1

[MAFoElffen]

@jauntyjackolope2

Please post a new bug report as in Post #5... Launchpad will triage it quickly, as they did with 1fallen (and deferred it for other reasons, LOL). If a duplicate, they will link it to where it needs to go. As 1fallen just tried to report it himself, maybe they will remember that and start paying attention that this is really affecting people... LOL

I don't see where there is a bug report marked for this "yet"...

[MAFoElffen]

@jauntyjackolope2 -- If you are not going to file a Bug Report on yours, then I guess you feel this is acceptable and okay.

I know filing bugs is a pain in the behind, it takes about 5 minutes of your time, and you could b using that time to drinking another coffee, right?. But it is something that does not work as it should, and it needs to be pointed out to the Security Team to be corrected.

You have that problem. Your system can upload the circumstances where it occurs to show them. It gives them what they need to correct it.

I, personally, file a lot of Bug Reports. I do that for the good of the Community, Ubuntu as a distribution, and ("mostly", my foremost priority always) for the Users of Ubuntu. It only helps everyone, not just yourself.

Please do this self-less act to be able to contribute in your own way. That is why we are all here, helping each other. Right?