SB2013030201 - Amazon Linux AMI update for kernel

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2012-4398)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The __request_module function in kernel/kmod.c in the Linux kernel before 3.4 does not set a certain killable attribute, which allows local users to cause a denial of service (memory consumption) via a crafted application.

2) Input validation error (CVE-ID: CVE-2012-4461)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The KVM subsystem in the Linux kernel before 3.6.9, when running on hosts that use qemu userspace without XSAVE, allows local users to cause a denial of service (kernel OOPS) by using the KVM_SET_SREGS ioctl to set the X86_CR4_OSXSAVE bit in the guest cr4 register, then calling the KVM_RUN ioctl.

3) Information disclosure (CVE-ID: CVE-2012-4530)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The load_script function in fs/binfmt_script.c in the Linux kernel before 3.7.2 does not properly handle recursion, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.

4) Race condition (CVE-ID: CVE-2013-0871)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Race condition in the ptrace functionality in the Linux kernel before 3.7.5 allows local users to gain privileges via a PTRACE_SETREGS ptrace system call in a crafted application, as demonstrated by ptrace_death.

Remediation

Install update from vendor's website.

References

• https://alas.aws.amazon.com/ALAS-2013-166.html