The article states that server isn't affected, because it requires access to a graphical desktop session.
Edit with direct quote from the article:
> Disclaimer: For someone to exploit this vulnerability, they need access to the graphical desktop session of the system, so this issue affects desktop users only.
It's somewhat common to install a graphical environment on server machines, particularly if they need to run certain (Oracle) enterprise software, for which GUI tools are either the only option, or by far the most expected and documented solution. Of course in theory you could install the bare minimum to run the utility using X-forwarding, in practice anyone doing this usually installs a full environment because it's much simpler to manage.
Plus, there are a few admins out there who simply prefer to use VNC over a straight terminal. I'm not here to judge; while this is uncommon, it's certainly not unheard of. Personally I would rather not have that much attack surface on my servers, but there are a few legitimate use cases here and there.
> It's somewhat common to install a graphical environment on server machines
It's really not that common. Yes there's the odd cases of servers that use enterprise software that have to have GUIs, but most linux boxes run headless. GUIs are just a waste of processing power and resources for the large majority of the things that servers are used for.
That said, I'm not happy that Canonical are entirely discounting the possibility that customers will have desktop environments installed on servers. It's not common, but it does happen.
I think this requires both a desktop environment to be installed, and local access to the server to be exploited (in most cases: X server is configured not to allow remote access by default in Ubuntu afaik).
The core vulnerability is in gdm which means that you have to have that running as a system service.
Though on second thought, if one can easily set up X forwarding as an unprivileged user, it might still be trivially exploitable.
Anyway, the announcement means that Ubuntu has fixes in affected (desktop) packages. If they are installed on a server, they'd be fixed with next apt update/upgrade too: they use the same package repositories.
One thing to note is that depending on how your network is structured and firewalled, if _one_ server has a graphical env of some sort (maybe a ML/image processing server that has graphical environments installed)... root access could be nasty nonetheless.
I never install GUIs on my servers, but when deploying a image processing server, while installing another package to debug CUDA/drivers, I've unintentionally added a full windowing system without realising it.
Unfortunately, nvidia-settings requires xorg to be installed and running (even when run in cli mode), and it's pretty much the only way to control fan speeds on consumer GPUs.
Only if the server has no GUI installed. I worked a place where the Network Admin, had a bunch of older RedHat servers with GUI's. I had to become the "bad guy" because on the newer boxes I was in charge of I refused to install a GUI, a bunch of devs pissed and moaned because they couldn't use xterm to connect to the new servers. It was pretty backwards place.
We run some machine learning systems on Ubuntu server, and it's really easy to accidentily install the full desktop environment while installing random graphics driver related packages. While figuring out how to set things up (before I formalized in an ansible script) one of the servers ended up with the desktop packages installed. Weird to look at the IPMI overview and between all the white on black kernel log outputs suddenly seeing a full Ubuntu desktop boot screen.
At the risk of igniting an irrelevant flame war, this is one of the primary reasons why I use Vim and only Vim as my IDE. I don't have to care about lack of graphical environments ;-)
Yes, I don't know if anybody will ever see this, but I agree! I would gladly pay similar for a robust VIM plugin setup that gave me similar features on a range of languages.
Edit with direct quote from the article:
> Disclaimer: For someone to exploit this vulnerability, they need access to the graphical desktop session of the system, so this issue affects desktop users only.
Am I wrong?