Re: Linux is more than just distros
I'd argue that one of the features of an 'appliance' is that it's a self-contained image that is typically supported solely by it's vendor - e.g it might have CentOS or a completely custom build under the hood but you're not supposed to really 'care' nor tat with the underlying OS - you get your patches/image updates from the appliance vendor and that's that..
Of course in reality you end up with legacy Appliances that are no longer supported by the vendor... Aside from the fact that it's now time to replace them with supported ones you do, unfortunately, have a problem to solve yourself.
I don't think Linux can be blamed however, for your self-admitted complex, uncontrolled environment though. That sounds much more down to poor planning and management. (I'm also presuming by the fact you're owning up to having a mess, that you're the poor person who inherited it. You have my sympathy!)
Although there's a huge number of Linux distros there aren't really so many that you're likely to see in a business setting - I'm sure there will be edge cases but it's likely to be mainly RHEL/CentOS with maybe a bit of Ubuntu or Debian thrown in. But sudo goes beyond Linux -it's available (although not necessarily bundled) on at least Solaris and BSD as well. I don't know but I'd hazard an educated guess that it also comes with WSL on Windows too.
I bet you've got something still hosted on Windows 2003 or older - what do you do about new CVEs that affect that? After all you're on your own - MS has ended support and they own the code so often nobody in the community can help with a fix.
At least with sudo, even if you had to compile it yourself, it _could_ feasibly be updated on all of your legacy systems no matter how old and unsupported they are...
There's potentially a saving grace with this bug because in order to use sudo you first need to be logged into a shell as an unprivileged user, which is hopefully not something that's open to many people on your appliances. The write-up also says that this vulnerability affects systems using the 'default configuration' which implies that you might be able to mitigate this hack through a config change.
There's a massive collection of tools for Linux, both free and paid, which will scan your estate for vulnerabilities and/or help you manage these machines. I don't think Windows is unique in this, and I'd go so far as to say it still lags behind in the automated configuration management game.
The point here is that all OSes are vulnerable to security bugs, not all handle patching them as well and some are more prone to flaws than others - 'Appliances' have to use an OS of some kind and be it something really low level like VxWorks, embedded Linux/Windows, or a full version of OS/2, BSD, Solaris, Linux or Windows (undoubtedly plus others) they will all fall prey to bugs from time to time and will all need patches.
Now is definitely not the time to be blaming fragmentation in the Linux ecosystem. You, Sir (or madam, for I make no assumptions here), have the onerous task of trying to discover what's actually running in your estate and prioritise updates to systems which are most at risk from being exploited. Good luck! (And I do mean that sincerely).
I shall being doing similar as a top priority in the morning although I believe me and my team are fortunate to be starting out knowing exactly what kits we're dealing with. We apply security updates automatically so it should be a case of checking we're already patched and then dealing with the few stragglers but let's wait and see.