SB2017083120 - Amazon Linux AMI update for curl
Published: August 31, 2017
Security Bulletin ID
SB2017083120
Severity
Low
Patch available
YES
Number of vulnerabilities
3
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Out-of-bounds read (CVE-ID: CVE-2017-1000099)
The vulnerability allows a local attacker to obtain potentially sensitive information.The weakness exists due to out-of bounds read. A local attacker can load a specially crafted 'file://' URL to cause the curl application to return data from system memory.
Successful exploitation of the vulnerability results in information disclosure.
2) Open redirect (CVE-ID: CVE-2017-1000100)
The vulnerability allows a remote attacker to redirect website visitors to external websites.The weakness exists due to incorrect validation of redirected URL. A remote attacker can redirect the target user's curl request to a TFTP URL with a long filename to cause the target user's curl application to send portions of system memory.
Successful exploitation of the vulnerability results in information disclosure.
3) Out-of-bounds read (CVE-ID: CVE-2017-1000101)
The vulnerability allows a remote attacker to redirect website visitors to external websites.The weakness exists due to out-of-bounds read. A local user can supply a URL containing specially crafted numerical range characters to trigger a heap read error and obtain potentially sensitive information from system memory
Successful exploitation of the vulnerability results in information disclosure.
Remediation
Install update from vendor's website.