Launchpad.net

CVE 2020-15705

GRUB2 fails to validate kernel signature when booted directly without shim, allowing secure boot to be bypassed. This only affects systems where the kernel signing certificate has been imported directly into the secure boot database and the GRUB image is booted directly without the use of shim. This issue affects GRUB2 version 2.04 and prior versions.

Related bugs and status

CVE-2020-15705 (Candidate) is related to these bugs:

Bug #1401532: GRUB's Secure Boot implementation loads unsigned kernel without warning

		In	Importance	Status
1401532	GRUB's Secure Boot implementation loads unsigned kernel without warning	grub2 (Ubuntu)	High	Fix Released
1401532	GRUB's Secure Boot implementation loads unsigned kernel without warning	grub2-signed (Ubuntu)	High	Fix Released
1401532	GRUB's Secure Boot implementation loads unsigned kernel without warning	grub2 (Ubuntu Xenial)	High	Fix Released
1401532	GRUB's Secure Boot implementation loads unsigned kernel without warning	grub2-signed (Ubuntu Xenial)	High	Fix Released
1401532	GRUB's Secure Boot implementation loads unsigned kernel without warning	grub2 (Ubuntu Trusty)	High	Fix Released
1401532	GRUB's Secure Boot implementation loads unsigned kernel without warning	grub2-signed (Ubuntu Trusty)	High	Fix Released
1401532	GRUB's Secure Boot implementation loads unsigned kernel without warning	grub2 (Ubuntu Bionic)	High	Fix Released
1401532	GRUB's Secure Boot implementation loads unsigned kernel without warning	grub2-signed (Ubuntu Bionic)	High	Fix Released

Bug #1872979: collectd core dump generated after lock/unlock controller-0

Summary				In	Importance	Status
	1872979	collectd core dump generated after lock/unlock controller-0		StarlingX	Low	Fix Released

Bug #1886064: Upgrades are not able to add new keystone users/services/endpoints

Summary				In	Importance	Status
	1886064	Upgrades are not able to add new keystone users/services/endpoints		StarlingX	Medium	Fix Released

Bug #1887438: Controller-0 Not Ready after force rebooting active controller (Controller-1)

Summary				In	Importance	Status
	1887438	Controller-0 Not Ready after force rebooting active controller (Controller-1)		StarlingX	Medium	Fix Released

Bug #1887677: stx-openstack: etcd 1MB size limit will prevent scaling up openstack workers

Summary				In	Importance	Status
	1887677	stx-openstack: etcd 1MB size limit will prevent scaling up openstack workers		StarlingX	Medium	Fix Released

Bug #1892768: Containerd config needs a jinja template

Summary				In	Importance	Status
	1892768	Containerd config needs a jinja template		StarlingX	Low	Fix Released

Bug #1893669: swact is not triggered after killing dnsmasq process within 90 seconds

Summary				In	Importance	Status
	1893669	swact is not triggered after killing dnsmasq process within 90 seconds		StarlingX	Medium	Fix Released

Bug #1894870: etcd instance not secured

Summary				In	Importance	Status
	1894870	etcd instance not secured		StarlingX	High	Fix Released

Bug #1895555: OAM IP change needs double lock/unlock controllers for IPV6 system

Summary				In	Importance	Status
	1895555	OAM IP change needs double lock/unlock controllers for IPV6 system		StarlingX	Medium	Fix Released

Bug #1900920: pods do not get restarted in an AIO-DX system

Summary				In	Importance	Status
	1900920	pods do not get restarted in an AIO-DX system		StarlingX	Medium	Fix Released

Bug #1901449: DC: rbd mounted devices becomes read only after enabling https on system controller

Summary				In	Importance	Status
	1901449	DC: rbd mounted devices becomes read only after enabling https on system controller		StarlingX	Medium	Fix Released

Bug #1903994: Retain more puppet log files to help with debugging

Summary				In	Importance	Status
	1903994	Retain more puppet log files to help with debugging		StarlingX	Low	Fix Released

Bug #1904739: kubernetes-nat rule not applied on controller following DOR

Summary				In	Importance	Status
	1904739	kubernetes-nat rule not applied on controller following DOR		StarlingX	Medium	Fix Released

Bug #1904885: Failure to connect to registry.local due to DNS resolution issues

Summary				In	Importance	Status
	1904885	Failure to connect to registry.local due to DNS resolution issues		StarlingX	Medium	Fix Released

Bug #1907678: New pip resolver breaks tox for some repos

Summary				In	Importance	Status
	1907678	New pip resolver breaks tox for some repos		StarlingX	High	Fix Released

Bug #1914291: Failure changing kube-apiserver parameters

Summary				In	Importance	Status
	1914291	Failure changing kube-apiserver parameters		StarlingX	High	Fix Released

Bug #1915050: IPv6: All hosts remain offline after booting off the controller-0

Summary				In	Importance	Status
	1915050	IPv6: All hosts remain offline after booting off the controller-0		StarlingX	Critical	Fix Released

Bug #1915951: Shared NIC: System doesn't retain the rate-limit config when a pod is deleted

Summary				In	Importance	Status
	1915951	Shared NIC: System doesn't retain the rate-limit config when a pod is deleted		StarlingX	Medium	Fix Released

Bug #1916620: Worker fails reboot recovery due to SRIOV timeout

Summary				In	Importance	Status
	1916620	Worker fails reboot recovery due to SRIOV timeout		StarlingX	Medium	Fix Released

Bug #1916946: CVE-2021-3156 sudo privilege escalation

Summary				In	Importance	Status
	1916946	CVE-2021-3156 sudo privilege escalation		StarlingX	Medium	Fix Released

Bug #1917229: worker runtime config missed system.yaml hiera

Summary				In	Importance	Status
	1917229	worker runtime config missed system.yaml hiera		StarlingX	Medium	Fix Released

Bug #1917308: Stx-openstack apply-fail after swact standby controller, lock, unlock standby controller

Summary				In	Importance	Status
	1917308	Stx-openstack apply-fail after swact standby controller, lock, unlock standby controller		StarlingX	Critical	Fix Released

Bug #1917781: Controller-0 showing disabled/offline in dm while it is unlocked/available in sysinv

Summary				In	Importance	Status
	1917781	Controller-0 showing disabled/offline in dm while it is unlocked/available in sysinv		StarlingX	Low	Fix Released

Bug #1918139: On AIO hosts, kuberenetes is starting before key resources are initialized

Summary				In	Importance	Status
	1918139	On AIO hosts, kuberenetes is starting before key resources are initialized		StarlingX	Medium	Fix Released

Bug #1919274: Adding bare-metal Ceph storage backend at runtime fails

Summary				In	Importance	Status
	1919274	Adding bare-metal Ceph storage backend at runtime fails		StarlingX	High	Fix Released

Bug #1919276: Bare-metal Ceph Metadata servers are not started by the Ceph runtime manifests

Summary				In	Importance	Status
	1919276	Bare-metal Ceph Metadata servers are not started by the Ceph runtime manifests		StarlingX	Medium	Fix Released

Bug #1920245: drbd filesystems not resized during bootstrap

Summary				In	Importance	Status
	1920245	drbd filesystems not resized during bootstrap		StarlingX	Medium	Fix Released

Bug #1923510: admin endpoint certificate overwritten by expired copy

Summary				In	Importance	Status
	1923510	admin endpoint certificate overwritten by expired copy		StarlingX	High	Fix Released

Bug #1923665: No LLDP information available for Fortville i40e NIC

Summary				In	Importance	Status
	1923665	No LLDP information available for Fortville i40e NIC		StarlingX	Medium	Fix Released

Bug #1923879: crash kernel fails to boot with ice network hw

Summary				In	Importance	Status
	1923879	crash kernel fails to boot with ice network hw		StarlingX	High	Fix Released

Bug #1924209: Storage-0 went offline due to NIC driver continuousely failed to allocate memory

Summary				In	Importance	Status
	1924209	Storage-0 went offline due to NIC driver continuousely failed to allocate memory		StarlingX	Low	Fix Released

Bug #1924579: armada-api container not using the correct user

Summary				In	Importance	Status
	1924579	armada-api container not using the correct user		StarlingX	Low	Fix Released

Bug #1924686: systemd excessively reads mountinfo and udev in dense container environments

Summary				In	Importance	Status
	1924686	systemd excessively reads mountinfo and udev in dense container environments		StarlingX	Medium	Fix Released

Bug #1924691: systemd sends tons of useless PropertiesChanged messages when a mount happens

Summary				In	Importance	Status
	1924691	systemd sends tons of useless PropertiesChanged messages when a mount happens		StarlingX	Medium	Fix Released

Bug #1926172: Fail to run unit tests with pepe8/flake8

Summary				In	Importance	Status
	1926172	Fail to run unit tests with pepe8/flake8		StarlingX	Low	Fix Released

Bug #1926366: Two unlocks required when converting a single-nic system to enable SR-IOV on the underlying interface

Summary				In	Importance	Status
	1926366	Two unlocks required when converting a single-nic system to enable SR-IOV on the underlying interface		StarlingX	Low	Fix Released

Bug #1926591: Unlock fails after restore when trying to resize docker-lv fs

Summary				In	Importance	Status
	1926591	Unlock fails after restore when trying to resize docker-lv fs		StarlingX	High	Fix Released

Bug #1927153: intel-fpga/intel-gpu/intel-qat: docker images build errors

Summary				In	Importance	Status
	1927153	intel-fpga/intel-gpu/intel-qat: docker images build errors		StarlingX	Medium	Fix Released

Bug #1927224: AIO-SX migration to AIO-DX failed on standalone system

Summary				In	Importance	Status
	1927224	AIO-SX migration to AIO-DX failed on standalone system		StarlingX	High	Fix Released

Bug #1927275: AIO-SX reboots after change OAM ip address

Summary				In	Importance	Status
	1927275	AIO-SX reboots after change OAM ip address		StarlingX	High	Fix Released

Bug #1927515: ETCD poor latency performance and failure under load

Summary				In	Importance	Status
	1927515	ETCD poor latency performance and failure under load		StarlingX	Medium	Fix Released

Bug #1927730: Secure boot via pxeboot fails with updated grub2

Summary				In	Importance	Status
	1927730	Secure boot via pxeboot fails with updated grub2		StarlingX	High	Fix Released

Bug #1927758: AIO-SX failed to come up due to sriov rate limit config failures in puppet

Summary				In	Importance	Status
	1927758	AIO-SX failed to come up due to sriov rate limit config failures in puppet		StarlingX	High	Fix Released

Bug #1927762: AIO-SX failed to start up after unlock due to lvm_global_filter.

Summary				In	Importance	Status
	1927762	AIO-SX failed to start up after unlock due to lvm_global_filter.		StarlingX	Medium	Fix Released

Bug #1928018: AIO-SX: armada pod stuck in Unknown after host-lock/unlock

Summary				In	Importance	Status
	1928018	AIO-SX: armada pod stuck in Unknown after host-lock/unlock		StarlingX	Medium	Fix Released

Bug #1928135: During upgrade activation, system controller swact and activation failed

Summary				In	Importance	Status
	1928135	During upgrade activation, system controller swact and activation failed		StarlingX	Medium	Fix Released

Bug #1928141: AIO-SX upgrade_platform playbook fails waiting for armada-api pod

Summary				In	Importance	Status
	1928141	AIO-SX upgrade_platform playbook fails waiting for armada-api pod		StarlingX	Medium	Fix Released

Bug #1928353: Bad behaving pod not well separated from the platform

Summary				In	Importance	Status
	1928353	Bad behaving pod not well separated from the platform		StarlingX	Medium	Fix Released

Bug #1928934: Storage-services loss of redundancy after lock/unlock of standby controller

Summary				In	Importance	Status
	1928934	Storage-services loss of redundancy after lock/unlock of standby controller		StarlingX	Medium	Fix Released

Bug #1933263: pxeboot_setup.sh copies wrong grubx64.efi

Summary				In	Importance	Status
	1933263	pxeboot_setup.sh copies wrong grubx64.efi		StarlingX	Medium	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2020-15705

Related bugs and status

Related bugs

References