CVE-2021-32553
📋 TL;DR
This vulnerability in Apport's read_file() function allows local attackers to read arbitrary files by exploiting symbolic links or FIFOs. When used by openjdk-17 package hooks, it can expose sensitive data to other local users on the same system. Only affects systems with Apport and openjdk-17 installed.
💻 Affected Systems
- apport
- openjdk-17
📦 What is this software?
Openjdk by Oracle
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation leading to full system compromise through exposure of sensitive files like /etc/shadow, SSH keys, or configuration files containing credentials.
Likely Case
Unauthorized local users reading sensitive application data, configuration files, or temporary files containing partial credentials.
If Mitigated
Minimal impact with proper file permissions and isolation between user accounts, though information disclosure risk remains.
🎯 Exploit Status
Exploitation requires local user access and ability to create symbolic links or FIFOs in predictable locations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: apport 2.20.11-0ubuntu65 and later
Vendor Advisory: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904
Restart Required: No
Instructions:
1. Update Apport: sudo apt update && sudo apt install apport
2. Update openjdk-17 if separate package: sudo apt install openjdk-17-jre
3. Verify version with: dpkg -l apport
🔧 Temporary Workarounds
Disable Apport crash reporting
linuxTemporarily disable Apport to prevent exploitation while patching
sudo systemctl stop apport
sudo systemctl disable apport
Remove openjdk-17 Apport hooks
linuxRemove vulnerable hooks while maintaining Java functionality
sudo rm -f /usr/share/apport/package-hooks/source_openjdk-17.py
🧯 If You Can't Patch
- Implement strict file permissions and access controls to limit local user privileges
- Isolate sensitive systems from multi-user environments or implement mandatory access controls
🔍 How to Verify
Check if Vulnerable:
Check Apport version: dpkg -l apport | grep ^ii | awk '{print $3}' - if version is earlier than 2.20.11-0ubuntu65, system is vulnerableCheck Version:
dpkg -l apport | grep ^ii | awk '{print $3}'Verify Fix Applied:
Verify Apport version is 2.20.11-0ubuntu65 or later: dpkg -l apport | grep ^ii📡 Detection & Monitoring
Log Indicators:
- Unusual Apport crash reports for openjdk-17 processes
- Multiple failed crash report submissions
Network Indicators:
- None - local-only vulnerability
SIEM Query:
process.name:apport AND file.path:*openjdk* AND file.path:*symlink* OR file.path:*fifo*