Amazon Linux AMI update for docker



Published: 2019-11-07
Risk Medium
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2019-13139
CVE-2019-13509
CWE-ID CWE-77
CWE-532
Exploitation vector Local
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Subscribe
Amazon Linux AMI
Operating systems & Components / Operating system

Vendor Amazon Web Services

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Command Injection

EUVDB-ID: #VU20954

Risk: Low

CVSSv3.1: 7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-13139

CWE-ID: CWE-77 - Command injection

Exploit availability: No

Description

The vulnerability allows a local attacker to inject and execute arbitrary commands on the target system.

The vulnerability exists due to the affected software misinterprets the "git ref" command as a flag. A local authenticated user who is able to execute the "docker build" command and has control over the build path can inject and execute arbitrary commands on the target system.

Mitigation

Update the affected packages:

src:
    docker-18.09.9ce-2.52.amzn1.src

x86_64:
    docker-debuginfo-18.09.9ce-2.52.amzn1.x86_64
    docker-18.09.9ce-2.52.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2019-1316.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Inclusion of Sensitive Information in Log Files

EUVDB-ID: #VU19390

Risk: Medium

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13509

CWE-ID: CWE-532 - Information Exposure Through Log Files

Exploit availability: No

Description

The vulnerability allows a local attacker to access sensitive information on a targeted system.

The vulnerability exists due to the software can add secrets to the debug log when the "docker stack deploy" command is used while running in debug mode to redeploy a stack which includes non-external secrets. A local authenticated attacker can gain access to sensitive information, such as secrets in the log files on a targeted system.

Mitigation

Update the affected packages:

src:
    docker-18.09.9ce-2.52.amzn1.src

x86_64:
    docker-debuginfo-18.09.9ce-2.52.amzn1.x86_64
    docker-18.09.9ce-2.52.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2019-1316.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###