Recently, Canonical has released security updates to address multiple Vim vulnerabilities in Ubuntu 14.04 ESM. Ubuntu 14.04, codenamed “Trusty Tahr,” reached its end-of-life (EOL) on April 30, 2019. After this date, Canonical stopped providing official updates, including security patches, for this version. However, some users and organizations still rely on older versions like Ubuntu 14.04 due to legacy software dependencies, stability concerns, or cost constraints associated with upgrading.

Overview of Vim Vulnerabilities

These vulnerabilities addressed in Ubuntu 14.04 ESM were discovered and patched in the year 2021. However, Ubuntu 14.04 did not receive security updates that time because it was already beyond its EOL.

CVE-2021-3973

This vulnerability was related to Vim’s handling of filenames during its search functionality. If an attacker tricked a user into opening a specially crafted file, Vim could crash, leading to a denial of service (DoS).

CVE-2021-3974

This vulnerability involved improper memory handling when Vim opened and searched the contents of certain files. Similar to CVE-2021-3973, opening a malicious file could result in a DoS. Additionally, in this case, an attacker could potentially achieve code execution with user privileges, which poses a more severe security risk.

CVE-2021-3984, CVE-2021-4019, CVE-2021-4069

These vulnerabilities also stemmed from improper memory handling. They could be triggered when opening or editing specific types of files in Vim. If exploited, an attacker could crash the application or, worse, execute arbitrary code with the same privileges as the user running Vim.

Protecting Your Ubuntu 14.04 Workloads

Given the potential risks, patching these vulnerabilities is crucial for anyone still running Ubuntu 14.04. Even though the official support ended in 2019, Canonical offers Extended Security Maintenance (ESM) through Ubuntu Pro. ESM provides ongoing security updates beyond the EOL date, allowing users to continue using older versions of Ubuntu securely.

Alternative Extended Support Option

While Ubuntu Pro’s ESM service offers a lifeline for those using outdated Ubuntu versions, it is not the only option available. For organizations relying on other older Linux versions, such as CentOS 6, 7, and 8, CentOS Stream 8, Oracle Linux 6 and 7, and Ubuntu 16.04 and 18.04, TuxCare’s Extended Lifecycle Support (ELS) provides an affordable solution. ELS offers up to five years of security patching after the EOL date and covers over 140 packages, including the Linux kernel, Vim, Python, OpenSSL, glibc, OpenJDK, and more.

The above Vim vulnerabilities also affect CentOS 6, Oracle Linux 6, CloudLinux 6, and Ubuntu 16.04. The ELS team has already released patches for these end-of-life Linux distributions. You can monitor the release status of all vulnerabilities in the CVE tracker.

Ask us a question to learn more about how Extended Lifecycle Support ensures your Linux environment remains secure, even when using end-of-life distributions.

Source: USN-6965-1

The post Ubuntu Patches Multiple Vim Vulnerabilities appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Rohan Timalsina. Read the original post at: https://tuxcare.com/blog/ubuntu-patches-multiple-vim-vulnerabilities/