With the release of Ubuntu Pro, Laravel Forge provisioned servers are left vulnerable
Since Canonical released Ubuntu Pro this year, they are now withholding some security patches for many common packages, including some that are included on Laravel Forge provisioned servers.
I use AWS Inspector to monitor for vulernabilities on my EC2 instances, and all of a sudden there are several medium-severity vulnerabilities that are unable to be patched with unattended-upgrades, or even a manual install. The patches are restricted to Ubuntu Pro users as part of the "ESM" service. This is not just true of older installations -- I have several vulnerabilities showing on 22.04.2 LTS builds, and I'm quickly approaching the SLA on resolving these for our SOC II protocol. This was never a problem in the past two years I've been using Forge + Ubuntu + AWS Inspector. All vulnerabilities were always patchable via unattended-upgrades or the occasional apt-get update/upgrade plus server reboot.
I'm not really sure what the best course of action is ---but likely many enterprise Forge users will start feeling the effects of this soon. Perhaps there is another Unix distro that can be used, or maybe Forge can partner with Canonical to allow provisioning "Pro" servers at a reasonable cost?
Anyone else dealing with this now or have any ideas on how to best handle this situation?
One possible solution is to switch to a different Linux distribution that is not affected by the Ubuntu Pro security patches. For example, you could switch to CentOS or Debian, both of which are supported by Laravel Forge.
If you decide to switch to a different Linux distribution, you will need to make sure that all of your applications and services are compatible with the new OS. You may also need to make some changes to your configuration files.
Another option is to contact Canonical and see if they can provide a solution that allows you to access the security patches without having to upgrade to Ubuntu Pro.
Finally, you could also consider using a third-party security scanning service to identify and patch any vulnerabilities on your servers. This would allow you to keep using Ubuntu without having to upgrade to Ubuntu Pro.
I've been researching these vulnerabilities for the past few days and I've learned a bit more about the situation. These new esm patches appear to only be for "universe packages" such as imagemagick, fail2ban, etc. and generally were not provided in the past by normal apt-get upgrade. Now, under Ubuntu Pro, some of these CVE fixes are being provided via the exclusive ESM service. Vulnerability scanners like AWS Inspector are also now picking up on some of these new vulnerabilities, but the patching instructions do not work unless you have a Pro license.
AWS does provide affordable VM licenses for Ubuntu Pro (~$6/year for a small-scale server), but unfortunately you cannot apply it to an existing provisioned VM. I think the best case scenario would be Laravel Forge releasing an update where Ubuntu Pro could be selected as the OS type when provisioning a new server, e.g.,
