Ubuntu Pro: complete security blunder

I decided to try to use Ubuntu Pro (available on GCE for some additional money) to see if it gives any advantages over ‘plain’ Ubuntu. Also I was wondering who is faster to react to security issues in kernel: Ubuntu or Debian.

I’ve created an idle Ubuntu Pro instance and left it ‘as is’.

Few weeks later Dirty Pipe (CVE 2022–0847) had happened. It’s a nasty bug with a trivial kernel fix. It’s a perfect chance to see their ‘livepatch’ service doing its job.

What I found?

1. They did not bisect problem for 6 days after CVE disclosure. They did not provided even information about the problem. For comparison, Debian _FIXED_ the issue within 36 hours (may be even faster, I checked it within 36).
2. After they bisected and confirmed that my current kernel (Linux 5.11.0–1029-gcp #33~20.04.3-Ubuntu SMP Tue Jan 18 12:03:29 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux) is vulnerable, they… ignored it.

CVE 2022–0847 page at ubuntu at 2022–04–16

CVE-2022-0847 | Ubuntu

FFF…

Excusme, it’s a paid version. Installed in Feb 6, 2022, the latest LTS they provide. And they just neglected it.

I installed it to check how well Ubuntu Advantage is working. It’s not.

Now I’ve installed kernel updates manually (with reboot). They provided me with pile of updates to their ‘ubuntu advantage’ tool, and some system packages, but ignored the kernel.

After reboot I found myself in 5.13.0–1023-gcp kernel.

Which has fix for Dirty Pipe.

What is ‘advantage’ here? Kernel live patch? Nope. Nope. Nope.

Even with this patch I found that Ubuntu is absolute disaster in terms of reaction to security issues. They was late for more than week after Debian to fix, and they ignored kernel they provided.

They pick some random kernels (which are not LTS) and then fail to live to their promises of live patches.

Meanwhile, there are two things which work excellently in Ubuntu:

• ua status can report green livepatch status without any issues

• they flawlessly charge additional money for essential support and ‘ua enabled' status. May be it’s not their job, as it’s done by GCP, but, nevertheless, money taken without issues.