Ubuntu Kernel Upgrade Script

I was asked to update my question:

I'm new to Linux Ubuntu and everything I've been doing so far is from searching on the web. However, I have been tasked to update the kernel to 10 of our Ubuntu servers, is there a common script I can use to do that?

We're using an application to scan vulnerabilities. The product revealed a lot of Critical kernel vulnerabilities. Most of our servers are Ubuntu 20.04.6 Most of our servers are running Linux kernel 5.15.0-1083-aws

The following steps worked for me:

wget https://raw.githubusercontent.com/pimlie/ubuntu-mainline-kernel.sh/master/ubuntu-mainline-kernel.sh
sudo install ubuntu-mainline-kernel.sh /usr/local/bin/
ubuntu-mainline-kernel.sh -i

Then enter Y

uname -rms

I tried using just the apt update or apt upgrade and even apt-get update, but those commands would never update my kernel.

"We're using an application to scan vulnerabilities" Such scanners are notorious for their many false positives, and lead to many questions like this.

• Pro Tip: Vulnerabilities are not tracked by software version nor by package version. Vulnerabilities are tracked by CVE number.

Before jumping to the conclusion that "we need to upgrade," you need to verify the scanner's conclusions.

1. The scanner output should include a list of CVEs.

2. Check each CVE using the Ubuntu CVE Tracker. This will tell you exactly which package versions are vulnerable to a specific CVE and which are not.

   This should filter down your list considerably, as you eliminate all the CVEs that were already mitigated automatically.

   • Pro Tip: There are two ways for users to mitigate a CVE: Patching and Upgrading. Ubuntu generally uses patching. Debian has used patching for over 25 years. It's an widely-accepted, auditable method of mitigating a CVE. Upstreams usually talk about upgrading simply because many users don't know how to patch. But we do.

3. Next, read the description of each remaining (un-mitigated) CVE. Look at the severity. Look at the effect (crash, data loss, code execution, permission bypass, etc.) Look at what's required to actually trigger the exploit. And ask if this is something you really need to mitigate, or if your existing processes and protections will suffice.

Also check that your systems are running the latest updated kernel provided by Ubuntu. As of today, the 20.04 systems on aws should be using 5.15.0.1038.43~20.04.27 (ubuntu-security) or 5.15.0.1039.44~20.04.28 (ubuntu-updates). Get that information from your package manager...and check your work for typos (5.15.0-1083-aws is not a real kernel yet).

If your kernel is indeed the latest for Ubuntu, and your organization REALLY still wants to "update the kernel", that's going to mean spinning up replacement machines with a newer release of Ubuntu (like 22.04) and migrating all your applications and data. Big job, and often unnecessary.

If your organization insists on (foolish) blind trust in the scanner results and demands a newer kernel while still running 20.04, we don't provide support for that. They will need to pay somebody for that custom work and ongoing support.