Ubuntu 14.04 — rpcbind — multiple vulnerabilities (3 CVEs) — patch and remediation guide

📖 ~4 min read  •  Source: Ubuntu Security Notice USN-4986-4

Related CVEs: https://launchpad.net/bugs/1931507 CVE-2017-8779 CVE-2015-7236

Upstream summary: USN-4986-1 fixed a vulnerability in rpcbind. The update caused a regression
resulting in rpcbind crashing in certain environments. This update fixes
the problem for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.

Original advisory details:

It was discovered that rpcbind incorrectly handled certain large data
sizes. A remote attacker could use this issue to cause rpcbind to consume
resources, leading to a denial of service.

Table of contents

1. Symptom & Impact
2. Environment & Reproduction
3. Root Cause Analysis
4. Quick Triage
5. Step-by-Step Diagnosis
6. Solution – Primary Fix
7. Solution – Alternative Approaches
8. Verification & Acceptance Criteria
9. Rollback Plan
10. Prevention & Hardening
11. Related Errors & Cross-Refs
12. References & Further Reading

Symptom & Impact

On Ubuntu 14.04 (trusty) hosts that have rpcbind installed, administrators report behaviour consistent with Ubuntu Security Notice USN-4986-4: apt reports pending security updates, services backed by rpcbind fail or restart unexpectedly, AppArmor denials appear in the kernel log, and — for security-rated advisories — the host is exposed to the vulnerability set above. Impact ranges from a single service-restart loop to wider availability incidents whenever rpcbind sits on the serving path.

Environment & Reproduction

Reproduction targets Ubuntu 14.04 (trusty). Confirm release and installed package:

lsb_release -a
cat /etc/os-release
dpkg -l rpcbind | tail -2
apt-cache policy rpcbind
uname -r

Trigger the workflow that exposes rpcbind — multiple vulnerabilities (3 CVEs) — patch and remediation guide while collecting:

sudo tail -200 /var/log/syslog | grep -i rpcbind
sudo tail -200 /var/log/syslog
sudo tail -200 /var/log/apt/history.log
sudo tail -200 /var/log/kern.log | grep -i apparmor

Root Cause Analysis

Root cause is documented in Ubuntu Security Notice USN-4986-4. Canonical security maintainers shipped fixes in the corresponding rpcbind update for Ubuntu 14.04; running an outdated build leaves the host exposed to the failure modes described in the advisory. On this release the fix typically arrives via the Ubuntu Pro ESM (esm-infra / esm-apps) channels rather than the standard archive. Correlate apt history with the journal:

grep -A2 -B2 rpcbind /var/log/apt/history.log
zgrep -A2 -B2 rpcbind /var/log/apt/history.log.*.gz 2>/dev/null
cat /proc/sys/kernel/tainted   # non-zero = tainted kernel / out-of-tree modules

Quick Triage

Run these on Ubuntu 14.04 to capture the current state of rpcbind:

dpkg -l rpcbind | tail -1                  # installed version
dpkg -V rpcbind                             # verify shipped files
sudo apt update && apt list --upgradable 2>/dev/null | grep -i security
sudo service rpcbind status
sudo ufw status verbose 2>/dev/null | head -20
sudo aa-status 2>/dev/null | head -20
# If rpcbind ships a service unit (unit/job name often differs from pkg name, e.g.
# bind9→named, apache2→apache2, postgresql-NN→postgresql@NN-main):
initctl list 2>/dev/null | grep rpcbind

On trusty the standard archive no longer ships security fixes. Verify Ubuntu Pro ESM coverage:

# `pro` CLI not available on this release; check the older `ubuntu-advantage-tools`:
sudo ua status --format=json 2>/dev/null | head
apt-cache policy | grep -i esm

Step-by-Step Diagnosis

1. List failing services.

   initctl list | grep -v running

2. Tail the journal / syslog for rpcbind.

   sudo tail -f /var/log/upstart/rpcbind.log
   sudo tail -f /var/log/syslog

3. Inspect UFW (Uncomplicated Firewall) state.

   sudo ufw status numbered
   sudo ufw show added
   sudo iptables -L -n -v | head -30

4. Surface AppArmor denials and switch the profile to complain mode if needed.

   sudo journalctl -k 2>/dev/null | grep -i 'apparmor="DENIED"' | tail -30
   sudo aa-status
   # /etc/apparmor.d/usr.bin.rpcbind or usr.sbin.rpcbind — inspect first
   sudo aa-complain /etc/apparmor.d/usr.bin.rpcbind 2>/dev/null || true

5. Verify rpcbind integrity and reinstall if anything is altered.

   sudo dpkg -V rpcbind
   sudo debsums -c rpcbind 2>/dev/null
   sudo apt install --reinstall -y rpcbind

6. Correlate findings with /var/log/apt/history.log, /var/log/dpkg.log, and Ubuntu Security Notice USN-4986-4 to pin the change that introduced rpcbind — multiple vulnerabilities (3 CVEs) — patch and remediation guide.

Solution – Primary Fix

Apply the corrective apt transaction referenced by Ubuntu Security Notice USN-4986-4, then reload the affected service:

sudo apt update
sudo apt -y install --only-upgrade rpcbind
# upstart uses initctl, not systemctl:
# Service name may differ from pkg name; check first:
initctl list 2>/dev/null | grep rpcbind
sudo service rpcbind restart
dpkg -l rpcbind | tail -1            # confirm new version
sudo service rpcbind status

On trusty the standard archive is past EoL for security; enable Ubuntu Pro ESM to receive the fix:

# Older releases use the `ua` command:
sudo ua attach <token>
sudo ua enable esm-infra
sudo ua enable esm-apps
sudo apt update
sudo apt -y install --only-upgrade rpcbind

For kernel / glibc / systemd / openssl advisories a reboot (or Livepatch) is required:

sudo apt install -y needrestart
sudo needrestart -r l       # list units that need restart
sudo systemctl reboot       # or: sudo shutdown -r now

Solution – Alternative Approaches

If the primary upgrade is not viable, pick from these:

• Hold the package so apt cannot upgrade it:

  sudo apt-mark hold rpcbind
  apt-mark showhold | grep rpcbind
  # Release the hold later with:
  sudo apt-mark unhold rpcbind

• Pin a known-good version via apt preferences:

  # /etc/apt/preferences.d/rpcbind.pref
  Package: rpcbind
  Pin: version <good-version>
  Pin-Priority: 1001

• Downgrade to an older version if a regression is suspected:

  apt-cache madison rpcbind
  sudo apt install --allow-downgrades -y rpcbind=<older-version>

• Investigate AppArmor blocking the new binary; switch to complain briefly, capture denials, then re-enforce:

  sudo aa-complain /etc/apparmor.d/usr.bin.rpcbind 2>/dev/null
  # reproduce the failure
  sudo journalctl -k | grep apparmor | tail
  sudo aa-enforce /etc/apparmor.d/usr.bin.rpcbind 2>/dev/null

• Take only the security pocket update and defer the full point-release upgrade:

  sudo apt -y install --only-upgrade -t trusty-security rpcbind

Verification & Acceptance Criteria

All of these should pass after the fix is applied:

dpkg -l rpcbind | tail -1                                  # expected fixed version
apt list --upgradable 2>/dev/null | grep -i security || echo OK
sudo service rpcbind status
sudo tail -50 /var/log/syslog | grep rpcbind || echo OK
sudo ufw status numbered | head
sudo aa-status 2>/dev/null | head -5

The original reproduction for rpcbind — multiple vulnerabilities (3 CVEs) — patch and remediation guide must not trigger across two consecutive runs.

Rollback Plan

Capture state before any change:

apt list --installed 2>/dev/null > /root/apt-pre.txt
dpkg --get-selections > /root/dpkg-pre.txt
# ZFS-on-root (Ubuntu 20.04+ default installer option):
sudo zfs snapshot rpool/ROOT/ubuntu@pre-rpcbind
# LVM-on-root:
sudo lvcreate -L 4G -s -n root_pre_patch /dev/<vg>/<root-lv>

To revert:

sudo apt install --allow-downgrades -y rpcbind=<old-version>
sudo service rpcbind restart
sudo service rpcbind restart
# Kernel rollback: pick the prior kernel from the GRUB menu, then:
sudo systemctl reboot
# ZFS rollback (rolls the whole root dataset):
sudo zfs rollback -r rpool/ROOT/ubuntu@pre-rpcbind

Prevention & Hardening

Reduce the chance of this recurring on Ubuntu 14.04 (trusty):

• Enable scheduled security updates via unattended-upgrades:

  sudo apt install -y unattended-upgrades update-notifier-common
  sudo dpkg-reconfigure -plow unattended-upgrades
  # /etc/apt/apt.conf.d/50unattended-upgrades:
  Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}-security"; };

• Install needrestart so services restart automatically after library upgrades:

  sudo apt install -y needrestart
  # /etc/needrestart/needrestart.conf -> $nrconf{restart} = 'a';

• Attach Ubuntu Pro for ESM (mandatory on this past-EoL release) and Livepatch where supported:

  sudo ua attach <token>
  sudo ua enable esm-infra
  sudo ua enable esm-apps

• Subscribe to ubuntu-security-announce and watch ubuntu.com/security/cves.

• Monitor file integrity with debsums and AIDE:

  sudo apt install -y debsums aide
  sudo debsums -ca
  sudo aideinit && sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
  sudo aide --check

• For estate-wide patching, manage with Canonical Landscape:

  sudo apt install -y landscape-client
  sudo landscape-config

• Keep AppArmor profiles in enforce mode and apply CIS Ubuntu Linux Benchmark hardening.

Related Errors & Cross-Refs

Issues that commonly surface alongside rpcbind — multiple vulnerabilities (3 CVEs) — patch and remediation guide: apt lock contention, broken dpkg state, systemd ordering cycles, AppArmor denials, and UFW rule drift. Useful triage:

sudo dpkg --configure -a
sudo apt --fix-broken install
initctl list | head
sudo journalctl -k 2>/dev/null | grep -i apparmor | tail
cat /proc/sys/kernel/tainted

View all ubuntu-14-04 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Primary reference: Ubuntu Security Notice USN-4986-4. Manual pages useful on Ubuntu 14.04:

man apt
man apt-get
man apt-mark
man dpkg
man initctl
# journald not present on this release
man ufw
man apparmor
man aa-status
man unattended-upgrades
man ua

Other resources: Ubuntu Security Notices, Ubuntu CVE Tracker, Ubuntu upgrade notes, and per-package notes in /usr/share/doc/rpcbind/ for components implicated in rpcbind — multiple vulnerabilities (3 CVEs) — patch and remediation guide.