Risk | High |
Patch available | YES |
Number of vulnerabilities | 16 |
CVE-ID | CVE-2017-11102 CVE-2017-11139 CVE-2017-11140 CVE-2017-11636 CVE-2017-11637 CVE-2017-11641 CVE-2017-11643 CVE-2017-13147 CVE-2017-16353 CVE-2017-16669 CVE-2017-17782 CVE-2017-17783 CVE-2017-17912 CVE-2017-17913 CVE-2017-17915 CVE-2018-5685 |
CWE-ID | CWE-20 CWE-415 CWE-400 CWE-119 CWE-476 CWE-401 CWE-122 CWE-125 CWE-835 |
Exploitation vector | Network |
Public exploit | Public exploit code for vulnerability #9 is available. |
Vulnerable software Subscribe |
Amazon Linux AMI Operating systems & Components / Operating system |
Vendor | Amazon Web Services |
Security Bulletin
This security bulletin contains information about 16 vulnerabilities.
EUVDB-ID: #VU33188
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-11102
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The ReadOneJNGImage function in coders/png.c in GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service (application crash) during JNG reading via a zero-length color_image data structure.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
GraphicsMagick-c++-1.3.28-1.12.amzn1.i686
GraphicsMagick-1.3.28-1.12.amzn1.i686
GraphicsMagick-devel-1.3.28-1.12.amzn1.i686
GraphicsMagick-perl-1.3.28-1.12.amzn1.i686
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.i686
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.i686
noarch:
GraphicsMagick-doc-1.3.28-1.12.amzn1.noarch
src:
GraphicsMagick-1.3.28-1.12.amzn1.src
x86_64:
GraphicsMagick-c++-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-perl-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-1.3.28-1.12.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2018-966.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU33189
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-11139
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
GraphicsMagick 1.3.26 has double free vulnerabilities in the ReadOneJNGImage() function in coders/png.c.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
GraphicsMagick-c++-1.3.28-1.12.amzn1.i686
GraphicsMagick-1.3.28-1.12.amzn1.i686
GraphicsMagick-devel-1.3.28-1.12.amzn1.i686
GraphicsMagick-perl-1.3.28-1.12.amzn1.i686
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.i686
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.i686
noarch:
GraphicsMagick-doc-1.3.28-1.12.amzn1.noarch
src:
GraphicsMagick-1.3.28-1.12.amzn1.src
x86_64:
GraphicsMagick-c++-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-perl-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-1.3.28-1.12.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2018-966.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU33190
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-11140
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a local non-authenticated attacker to perform a denial of service (DoS) attack.
The ReadJPEGImage function in coders/jpeg.c in GraphicsMagick 1.3.26 creates a pixel cache before a successful read of a scanline, which allows remote attackers to cause a denial of service (resource consumption) via crafted JPEG files.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
GraphicsMagick-c++-1.3.28-1.12.amzn1.i686
GraphicsMagick-1.3.28-1.12.amzn1.i686
GraphicsMagick-devel-1.3.28-1.12.amzn1.i686
GraphicsMagick-perl-1.3.28-1.12.amzn1.i686
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.i686
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.i686
noarch:
GraphicsMagick-doc-1.3.28-1.12.amzn1.noarch
src:
GraphicsMagick-1.3.28-1.12.amzn1.src
x86_64:
GraphicsMagick-c++-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-perl-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-1.3.28-1.12.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2018-966.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU33192
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-11636
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
GraphicsMagick 1.3.26 has a heap overflow in the WriteRGBImage() function in coders/rgb.c when processing multiple frames that have non-identical widths.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
GraphicsMagick-c++-1.3.28-1.12.amzn1.i686
GraphicsMagick-1.3.28-1.12.amzn1.i686
GraphicsMagick-devel-1.3.28-1.12.amzn1.i686
GraphicsMagick-perl-1.3.28-1.12.amzn1.i686
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.i686
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.i686
noarch:
GraphicsMagick-doc-1.3.28-1.12.amzn1.noarch
src:
GraphicsMagick-1.3.28-1.12.amzn1.src
x86_64:
GraphicsMagick-c++-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-perl-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-1.3.28-1.12.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2018-966.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU33193
Risk: High
CVSSv3.1: 8.5 [AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-11637
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in the WritePCLImage() function in coders/pcl.c during writes of monochrome images. A remote attacker can perform a denial of service (DoS) attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
GraphicsMagick-c++-1.3.28-1.12.amzn1.i686
GraphicsMagick-1.3.28-1.12.amzn1.i686
GraphicsMagick-devel-1.3.28-1.12.amzn1.i686
GraphicsMagick-perl-1.3.28-1.12.amzn1.i686
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.i686
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.i686
noarch:
GraphicsMagick-doc-1.3.28-1.12.amzn1.noarch
src:
GraphicsMagick-1.3.28-1.12.amzn1.src
x86_64:
GraphicsMagick-c++-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-perl-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-1.3.28-1.12.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2018-966.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU12712
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-11641
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in the PersistCache function in magick/pixel_cache.c due to memory leak during writing of Magick Persistent Cache (MPC) files. A remote attacker can trigger memory corruption and cause the service to crash.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
GraphicsMagick-c++-1.3.28-1.12.amzn1.i686
GraphicsMagick-1.3.28-1.12.amzn1.i686
GraphicsMagick-devel-1.3.28-1.12.amzn1.i686
GraphicsMagick-perl-1.3.28-1.12.amzn1.i686
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.i686
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.i686
noarch:
GraphicsMagick-doc-1.3.28-1.12.amzn1.noarch
src:
GraphicsMagick-1.3.28-1.12.amzn1.src
x86_64:
GraphicsMagick-c++-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-perl-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-1.3.28-1.12.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2018-966.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU33195
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-11643
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
GraphicsMagick 1.3.26 has a heap overflow in the WriteCMYKImage() function in coders/cmyk.c when processing multiple frames that have non-identical widths.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
GraphicsMagick-c++-1.3.28-1.12.amzn1.i686
GraphicsMagick-1.3.28-1.12.amzn1.i686
GraphicsMagick-devel-1.3.28-1.12.amzn1.i686
GraphicsMagick-perl-1.3.28-1.12.amzn1.i686
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.i686
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.i686
noarch:
GraphicsMagick-doc-1.3.28-1.12.amzn1.noarch
src:
GraphicsMagick-1.3.28-1.12.amzn1.src
x86_64:
GraphicsMagick-c++-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-perl-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-1.3.28-1.12.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2018-966.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU33200
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-13147
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
In GraphicsMagick 1.3.26, an allocation failure vulnerability was found in the function ReadMNGImage in coders/png.c when a small MNG file has a MEND chunk with a large length value.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
GraphicsMagick-c++-1.3.28-1.12.amzn1.i686
GraphicsMagick-1.3.28-1.12.amzn1.i686
GraphicsMagick-devel-1.3.28-1.12.amzn1.i686
GraphicsMagick-perl-1.3.28-1.12.amzn1.i686
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.i686
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.i686
noarch:
GraphicsMagick-doc-1.3.28-1.12.amzn1.noarch
src:
GraphicsMagick-1.3.28-1.12.amzn1.src
x86_64:
GraphicsMagick-c++-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-perl-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-1.3.28-1.12.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2018-966.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU11815
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2017-16353
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists in the DescribeImage function of the magick/describe.c file due to heap-based buffer over-read because the portion of the code containing the vulnerability is responsible for printing the IPTC Profile information contained in the image and out-of-bounds buffer dereference because certain increments are never checked. A remote attacker can trick the victim into opening a specially crafted MIFF file and gain access to potentially sensitive information.
Update the affected packages:
i686:Vulnerable software versions
GraphicsMagick-c++-1.3.28-1.12.amzn1.i686
GraphicsMagick-1.3.28-1.12.amzn1.i686
GraphicsMagick-devel-1.3.28-1.12.amzn1.i686
GraphicsMagick-perl-1.3.28-1.12.amzn1.i686
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.i686
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.i686
noarch:
GraphicsMagick-doc-1.3.28-1.12.amzn1.noarch
src:
GraphicsMagick-1.3.28-1.12.amzn1.src
x86_64:
GraphicsMagick-c++-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-perl-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-1.3.28-1.12.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2018-966.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU9814
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-16669
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to heap-based buffer overflow in coders/wpg.c. A remote attacker can provide a specially crafted file, related to the AcquireCacheNexus function in magick/pixel_cache.c, trigger memory corruption and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Update the affected packages:
i686:Vulnerable software versions
GraphicsMagick-c++-1.3.28-1.12.amzn1.i686
GraphicsMagick-1.3.28-1.12.amzn1.i686
GraphicsMagick-devel-1.3.28-1.12.amzn1.i686
GraphicsMagick-perl-1.3.28-1.12.amzn1.i686
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.i686
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.i686
noarch:
GraphicsMagick-doc-1.3.28-1.12.amzn1.noarch
src:
GraphicsMagick-1.3.28-1.12.amzn1.src
x86_64:
GraphicsMagick-c++-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-perl-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-1.3.28-1.12.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2018-966.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU33212
Risk: High
CVSSv3.1: 7.7 [AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-17782
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read in ReadOneJNGImage in coders/png.c, related to oFFs chunk allocation. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
GraphicsMagick-c++-1.3.28-1.12.amzn1.i686
GraphicsMagick-1.3.28-1.12.amzn1.i686
GraphicsMagick-devel-1.3.28-1.12.amzn1.i686
GraphicsMagick-perl-1.3.28-1.12.amzn1.i686
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.i686
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.i686
noarch:
GraphicsMagick-doc-1.3.28-1.12.amzn1.noarch
src:
GraphicsMagick-1.3.28-1.12.amzn1.src
x86_64:
GraphicsMagick-c++-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-perl-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-1.3.28-1.12.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2018-966.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU33213
Risk: Medium
CVSSv3.1: 6.5 [AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-17783
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to buffer over-read in ReadPALMImage in coders/palm.c when QuantumDepth is 8. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
GraphicsMagick-c++-1.3.28-1.12.amzn1.i686
GraphicsMagick-1.3.28-1.12.amzn1.i686
GraphicsMagick-devel-1.3.28-1.12.amzn1.i686
GraphicsMagick-perl-1.3.28-1.12.amzn1.i686
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.i686
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.i686
noarch:
GraphicsMagick-doc-1.3.28-1.12.amzn1.noarch
src:
GraphicsMagick-1.3.28-1.12.amzn1.src
x86_64:
GraphicsMagick-c++-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-perl-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-1.3.28-1.12.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2018-966.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU10309
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-17912
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read in ReadNewsProfile in coders/tiff.c, in which LocaleNCompare reads heap data beyond the allocated region. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
GraphicsMagick-c++-1.3.28-1.12.amzn1.i686
GraphicsMagick-1.3.28-1.12.amzn1.i686
GraphicsMagick-devel-1.3.28-1.12.amzn1.i686
GraphicsMagick-perl-1.3.28-1.12.amzn1.i686
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.i686
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.i686
noarch:
GraphicsMagick-doc-1.3.28-1.12.amzn1.noarch
src:
GraphicsMagick-1.3.28-1.12.amzn1.src
x86_64:
GraphicsMagick-c++-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-perl-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-1.3.28-1.12.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2018-966.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU10308
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-17913
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to stack-based buffer over-read in WriteWEBPImage in coders/webp.c, related to an incompatibility with libwebp versions, 0.5.0 and later, that use a different structure type. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
GraphicsMagick-c++-1.3.28-1.12.amzn1.i686
GraphicsMagick-1.3.28-1.12.amzn1.i686
GraphicsMagick-devel-1.3.28-1.12.amzn1.i686
GraphicsMagick-perl-1.3.28-1.12.amzn1.i686
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.i686
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.i686
noarch:
GraphicsMagick-doc-1.3.28-1.12.amzn1.noarch
src:
GraphicsMagick-1.3.28-1.12.amzn1.src
x86_64:
GraphicsMagick-c++-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-perl-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-1.3.28-1.12.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2018-966.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU37725
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-17915
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read in ReadMNGImage in coders/png.c, related to accessing one byte before testing whether a limit has been reached. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
GraphicsMagick-c++-1.3.28-1.12.amzn1.i686
GraphicsMagick-1.3.28-1.12.amzn1.i686
GraphicsMagick-devel-1.3.28-1.12.amzn1.i686
GraphicsMagick-perl-1.3.28-1.12.amzn1.i686
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.i686
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.i686
noarch:
GraphicsMagick-doc-1.3.28-1.12.amzn1.noarch
src:
GraphicsMagick-1.3.28-1.12.amzn1.src
x86_64:
GraphicsMagick-c++-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-perl-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-1.3.28-1.12.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2018-966.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU33215
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5685
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
In GraphicsMagick 1.3.27, there is an infinite loop and application hang in the ReadBMPImage function (coders/bmp.c). Remote attackers could leverage this vulnerability to cause a denial of service via an image file with a crafted bit-field mask value.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
GraphicsMagick-c++-1.3.28-1.12.amzn1.i686
GraphicsMagick-1.3.28-1.12.amzn1.i686
GraphicsMagick-devel-1.3.28-1.12.amzn1.i686
GraphicsMagick-perl-1.3.28-1.12.amzn1.i686
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.i686
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.i686
noarch:
GraphicsMagick-doc-1.3.28-1.12.amzn1.noarch
src:
GraphicsMagick-1.3.28-1.12.amzn1.src
x86_64:
GraphicsMagick-c++-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-perl-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.x86_64
GraphicsMagick-1.3.28-1.12.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2018-966.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.