Ubuntu 20.04 — mariadb-10.3 — multiple vulnerabilities (20 CVEs) — patch and remediation guide

📖 ~4 min read  •  Source: Ubuntu Security Notice USN-6600-1

Related CVEs: CVE-2022-47015 CVE-2023-22084 https://launchpad.net/bugs/2006882 CVE-2018-25032 CVE-2021-46669 CVE-2022-21427 CVE-2022-27376 CVE-2022-27377  +12 more

Upstream summary: Several security issues were discovered in MariaDB and this update
includes new upstream MariaDB versions to fix these issues.

MariaDB has been updated to 10.3.39 in Ubuntu 20.04 LTS, 10.6.16
in Ubuntu 22.04 LTS and 10.11.6 in Ubuntu 23.10.

CVE-2022-47015 only affected the MariaDB packages in Ubuntu 20.04 LTS
and Ubuntu 22.04 LTS.

In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.

Table of contents

1. Symptom & Impact
2. Environment & Reproduction
3. Root Cause Analysis
4. Quick Triage
5. Step-by-Step Diagnosis
6. Solution – Primary Fix
7. Solution – Alternative Approaches
8. Verification & Acceptance Criteria
9. Rollback Plan
10. Prevention & Hardening
11. Related Errors & Cross-Refs
12. References & Further Reading

Symptom & Impact

On Ubuntu 20.04 (focal) hosts that have mariadb-10.3 installed, administrators report behaviour consistent with Ubuntu Security Notice USN-6600-1: apt reports pending security updates, services backed by mariadb-10.3 fail or restart unexpectedly, AppArmor denials appear in the kernel log, and — for security-rated advisories — the host is exposed to the vulnerability set above. Impact ranges from a single service-restart loop to wider availability incidents whenever mariadb-10.3 sits on the serving path.

Environment & Reproduction

Reproduction targets Ubuntu 20.04 (focal). Confirm release and installed package:

lsb_release -a
cat /etc/os-release
dpkg -l mariadb-10.3 | tail -2
apt-cache policy mariadb-10.3
uname -r

Trigger the workflow that exposes mariadb-10.3 — multiple vulnerabilities (20 CVEs) — patch and remediation guide while collecting:

sudo journalctl -u mariadb-10.3 -b --no-pager | tail -200
sudo journalctl -xe --no-pager | tail -200
sudo tail -200 /var/log/apt/history.log
sudo tail -200 /var/log/kern.log | grep -i apparmor

Root Cause Analysis

Root cause is documented in Ubuntu Security Notice USN-6600-1. Canonical security maintainers shipped fixes in the corresponding mariadb-10.3 update for Ubuntu 20.04; running an outdated build leaves the host exposed to the failure modes described in the advisory. Fixes land in the focal-security pocket of the main archive. Correlate apt history with the journal:

grep -A2 -B2 mariadb-10.3 /var/log/apt/history.log
zgrep -A2 -B2 mariadb-10.3 /var/log/apt/history.log.*.gz 2>/dev/null
cat /proc/sys/kernel/tainted   # non-zero = tainted kernel / out-of-tree modules

Quick Triage

Run these on Ubuntu 20.04 to capture the current state of mariadb-10.3:

dpkg -l mariadb-10.3 | tail -1                  # installed version
dpkg -V mariadb-10.3                             # verify shipped files
sudo apt update && apt list --upgradable 2>/dev/null | grep -i security
systemctl is-active mariadb-10.3
sudo ufw status verbose 2>/dev/null | head -20
sudo aa-status 2>/dev/null | head -20
# If mariadb-10.3 ships a service unit (unit/job name often differs from pkg name, e.g.
# bind9→named, apache2→apache2, postgresql-NN→postgresql@NN-main):
systemctl list-unit-files | grep -i mariadb | head

Step-by-Step Diagnosis

1. List failing services.

   systemctl --failed --no-pager

2. Tail the journal / syslog for mariadb-10.3.

   sudo journalctl -u mariadb-10.3 -f --no-pager
   sudo journalctl -xe -f --no-pager

3. Inspect UFW (Uncomplicated Firewall) state.

   sudo ufw status numbered
   sudo ufw show added
   sudo iptables -L -n -v | head -30

4. Surface AppArmor denials and switch the profile to complain mode if needed.

   sudo journalctl -k 2>/dev/null | grep -i 'apparmor="DENIED"' | tail -30
   sudo aa-status
   # /etc/apparmor.d/usr.bin.mariadb-10.3 or usr.sbin.mariadb-10.3 — inspect first
   sudo aa-complain /etc/apparmor.d/usr.bin.mariadb-10.3 2>/dev/null || true

5. Verify mariadb-10.3 integrity and reinstall if anything is altered.

   sudo dpkg -V mariadb-10.3
   sudo debsums -c mariadb-10.3 2>/dev/null
   sudo apt install --reinstall -y mariadb-10.3

6. Correlate findings with /var/log/apt/history.log, /var/log/dpkg.log, and Ubuntu Security Notice USN-6600-1 to pin the change that introduced mariadb-10.3 — multiple vulnerabilities (20 CVEs) — patch and remediation guide.

Solution – Primary Fix

Apply the corrective apt transaction referenced by Ubuntu Security Notice USN-6600-1, then reload the affected service:

sudo apt update
sudo apt -y install --only-upgrade mariadb-10.3
sudo systemctl daemon-reload
# Service name may differ from pkg name; check first:
systemctl list-unit-files | grep -i mariadb | head
sudo systemctl restart mariadb-10.3
dpkg -l mariadb-10.3 | tail -1            # confirm new version
systemctl is-active mariadb-10.3

For kernel / glibc / systemd / openssl advisories a reboot (or Livepatch) is required:

sudo apt install -y needrestart
sudo needrestart -r l       # list units that need restart
sudo systemctl reboot       # or: sudo shutdown -r now
# Livepatch (Ubuntu Pro) avoids reboot for many kernel CVEs:
sudo canonical-livepatch status
sudo canonical-livepatch refresh

Solution – Alternative Approaches

If the primary upgrade is not viable, pick from these:

• Hold the package so apt cannot upgrade it:

  sudo apt-mark hold mariadb-10.3
  apt-mark showhold | grep mariadb-10.3
  # Release the hold later with:
  sudo apt-mark unhold mariadb-10.3

• Pin a known-good version via apt preferences:

  # /etc/apt/preferences.d/mariadb-10.3.pref
  Package: mariadb-10.3
  Pin: version <good-version>
  Pin-Priority: 1001

• Downgrade to an older version if a regression is suspected:

  apt-cache madison mariadb-10.3
  sudo apt install --allow-downgrades -y mariadb-10.3=<older-version>

• Investigate AppArmor blocking the new binary; switch to complain briefly, capture denials, then re-enforce:

  sudo aa-complain /etc/apparmor.d/usr.bin.mariadb-10.3 2>/dev/null
  # reproduce the failure
  sudo journalctl -k | grep apparmor | tail
  sudo aa-enforce /etc/apparmor.d/usr.bin.mariadb-10.3 2>/dev/null

• Apply Canonical Livepatch (Ubuntu Pro) to land kernel fixes without reboot:

  sudo canonical-livepatch status
  sudo canonical-livepatch refresh

• Take only the security pocket update and defer the full point-release upgrade:

  sudo apt -y install --only-upgrade -t focal-security mariadb-10.3

Verification & Acceptance Criteria

All of these should pass after the fix is applied:

dpkg -l mariadb-10.3 | tail -1                                  # expected fixed version
apt list --upgradable 2>/dev/null | grep -i security || echo OK
systemctl is-active mariadb-10.3
sudo journalctl -u mariadb-10.3 --since "5 minutes ago" --no-pager | grep -iE "error|fail" || echo OK
sudo ufw status numbered | head
sudo aa-status 2>/dev/null | head -5

The original reproduction for mariadb-10.3 — multiple vulnerabilities (20 CVEs) — patch and remediation guide must not trigger across two consecutive runs.

Rollback Plan

Capture state before any change:

apt list --installed 2>/dev/null > /root/apt-pre.txt
dpkg --get-selections > /root/dpkg-pre.txt
# ZFS-on-root (Ubuntu 20.04+ default installer option):
sudo zfs snapshot rpool/ROOT/ubuntu@pre-mariadb-10-3
# LVM-on-root:
sudo lvcreate -L 4G -s -n root_pre_patch /dev/<vg>/<root-lv>

To revert:

sudo apt install --allow-downgrades -y mariadb-10.3=<old-version>
sudo systemctl daemon-reload
sudo systemctl restart mariadb-10.3
# Kernel rollback: pick the prior kernel from the GRUB menu, then:
sudo systemctl reboot
# ZFS rollback (rolls the whole root dataset):
sudo zfs rollback -r rpool/ROOT/ubuntu@pre-mariadb-10-3

Prevention & Hardening

Reduce the chance of this recurring on Ubuntu 20.04 (focal):

• Enable scheduled security updates via unattended-upgrades:

  sudo apt install -y unattended-upgrades update-notifier-common
  sudo dpkg-reconfigure -plow unattended-upgrades
  # /etc/apt/apt.conf.d/50unattended-upgrades:
  Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}-security"; };

• Install needrestart so services restart automatically after library upgrades:

  sudo apt install -y needrestart
  # /etc/needrestart/needrestart.conf -> $nrconf{restart} = 'a';

• Attach Ubuntu Pro to enable Livepatch and extended security coverage:

  sudo pro attach <token>
  sudo pro enable livepatch

• Subscribe to ubuntu-security-announce and watch ubuntu.com/security/cves.

• Monitor file integrity with debsums and AIDE:

  sudo apt install -y debsums aide
  sudo debsums -ca
  sudo aideinit && sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
  sudo aide --check

• For estate-wide patching, manage with Canonical Landscape:

  sudo apt install -y landscape-client
  sudo landscape-config

• Keep AppArmor profiles in enforce mode and apply CIS Ubuntu Linux Benchmark hardening.

Related Errors & Cross-Refs

Issues that commonly surface alongside mariadb-10.3 — multiple vulnerabilities (20 CVEs) — patch and remediation guide: apt lock contention, broken dpkg state, systemd ordering cycles, AppArmor denials, and UFW rule drift. Useful triage:

sudo dpkg --configure -a
sudo apt --fix-broken install
systemd-analyze critical-chain
sudo journalctl -k 2>/dev/null | grep -i apparmor | tail
cat /proc/sys/kernel/tainted

View all ubuntu-20-04 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Primary reference: Ubuntu Security Notice USN-6600-1. Manual pages useful on Ubuntu 20.04:

man apt
man apt-get
man apt-mark
man dpkg
man systemctl
man journalctl
man ufw
man apparmor
man aa-status
man unattended-upgrades
man canonical-livepatch
man pro

Other resources: Ubuntu Security Notices, Ubuntu CVE Tracker, Ubuntu upgrade notes, and per-package notes in /usr/share/doc/mariadb-10.3/ for components implicated in mariadb-10.3 — multiple vulnerabilities (20 CVEs) — patch and remediation guide.