CVE-2021-32547
📋 TL;DR
This vulnerability in Apport's read_file() function allows local attackers to read arbitrary files via symbolic link or FIFO manipulation. When exploited through the openjdk-lts package hooks, it can expose sensitive data to other local users on the same system. Only affects systems with Apport and openjdk-lts package installed.
💻 Affected Systems
- Apport
- openjdk-lts
📦 What is this software?
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation leading to complete system compromise through exposure of sensitive files like /etc/shadow, SSH keys, or configuration files containing credentials.
Likely Case
Unauthorized local users reading sensitive application data, configuration files, or temporary files containing user information.
If Mitigated
Limited data exposure restricted to files accessible by the apport user account, with no privilege escalation.
🎯 Exploit Status
Exploitation requires local user access and ability to create symbolic links or FIFOs in predictable locations. The bug report includes proof-of-concept details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apport 2.20.11-0ubuntu27.20 and later
Vendor Advisory: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904
Restart Required: No
Instructions:
1. Update Apport package: sudo apt update && sudo apt install apport
2. Update openjdk-lts package: sudo apt install openjdk-lts
3. No service restart required, but ensure Apport hooks are reloaded.
🔧 Temporary Workarounds
Disable Apport crash reporting
linuxTemporarily disable Apport to prevent exploitation while waiting for patch
sudo systemctl stop apport
sudo systemctl disable apport
Remove openjdk-lts package
linuxRemove the vulnerable package if not required
sudo apt remove openjdk-lts
🧯 If You Can't Patch
- Restrict local user access to systems with Apport and openjdk-lts installed
- Implement strict file permission controls and monitor for suspicious symbolic link creation
🔍 How to Verify
Check if Vulnerable:
Check Apport version: dpkg -l | grep apport | grep ^iiCheck Version:
dpkg -l apportVerify Fix Applied:
Verify Apport version is 2.20.11-0ubuntu27.20 or later: dpkg -l apport📡 Detection & Monitoring
Log Indicators:
- Apport crash reports accessing unexpected files
- Failed file access attempts in system logs
Network Indicators:
- None - local-only vulnerability
SIEM Query:
Process creation where parent is apport and command includes read_file operations on sensitive paths