SB2016042112 - Amazon Linux AMI update for krb5

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Buffer overflow (CVE-ID: CVE-2015-8629)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

The xdr_nullstring function in lib/kadm5/kadm_rpc_xdr.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13.4 and 1.14.x before 1.14.1 does not verify whether '' characters exist as expected, which allows remote authenticated users to obtain sensitive information or cause a denial of service (out-of-bounds read) via a crafted string.

2) NULL pointer dereference (CVE-ID: CVE-2015-8630)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.4 and 1.14.x before 1.14.1 allow remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by specifying KADM5_POLICY with a NULL policy name. <a href="http://cwe.mitre.org/data/definitions/476. A remote attacker can perform a denial of service (DoS) attack.

3) Buffer overflow (CVE-ID: CVE-2015-8631)

The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.

Multiple memory leaks in kadmin/server/server_stubs.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13.4 and 1.14.x before 1.14.1 allow remote authenticated users to cause a denial of service (memory consumption) via a request specifying a NULL principal name.

Remediation

Install update from vendor's website.

References

• https://alas.aws.amazon.com/ALAS-2016-691.html