CVE 2018-7183 is a remote code execution vulnerability in ntpq. Here is the description:
Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array.
This sounds very severe. It is a remote code execution vulnerability, after all. However, in order to be remotely exploited, it requires that someone run the ntpq command against a remote server. That is not usually done. The ntpq command is primarily just used with a local server, running on localhost. As remote code execution vulnerabilities go, this is probably one of the more benign.
Some of the distribution images we provide contained packages with the vulnerability. All of our Ubuntu images have been rebuilt and are known to contain non-vulnerable versions. Debian Stretch has not yet updated its ntp package, so the package in our image still contains the bug. Debian’s security tracker claims that the version in Debian Jessie is affected, but the version number of the package in Jessie is not covered by this CVE. Suffice it to say, we’ll update our images when Debian does.