Risk | Low |
Patch available | YES |
Number of vulnerabilities | 2 |
CVE-ID | CVE-2019-19062 CVE-2019-19332 |
CWE-ID | CWE-401 CWE-787 |
Exploitation vector | Local |
Public exploit | N/A |
Vulnerable software Subscribe |
Amazon Linux AMI Operating systems & Components / Operating system |
Vendor | Amazon Web Services |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
EUVDB-ID: #VU23019
Risk: Low
CVSSv3.1: 5.4 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-19062
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the "crypto_report()" function in "crypto/crypto_user_base.c" file. A local attacker can cause a denial of service condition (memory consumption) by triggering "crypto_report_alg()" failures.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
kernel-debuginfo-common-i686-4.14.165-102.185.amzn1.i686
kernel-debuginfo-4.14.165-102.185.amzn1.i686
kernel-headers-4.14.165-102.185.amzn1.i686
kernel-tools-4.14.165-102.185.amzn1.i686
kernel-devel-4.14.165-102.185.amzn1.i686
perf-debuginfo-4.14.165-102.185.amzn1.i686
kernel-tools-devel-4.14.165-102.185.amzn1.i686
perf-4.14.165-102.185.amzn1.i686
kernel-4.14.165-102.185.amzn1.i686
kernel-tools-debuginfo-4.14.165-102.185.amzn1.i686
src:
kernel-4.14.165-102.185.amzn1.src
x86_64:
kernel-4.14.165-102.185.amzn1.x86_64
kernel-debuginfo-4.14.165-102.185.amzn1.x86_64
kernel-tools-4.14.165-102.185.amzn1.x86_64
kernel-devel-4.14.165-102.185.amzn1.x86_64
perf-debuginfo-4.14.165-102.185.amzn1.x86_64
kernel-headers-4.14.165-102.185.amzn1.x86_64
kernel-tools-debuginfo-4.14.165-102.185.amzn1.x86_64
perf-4.14.165-102.185.amzn1.x86_64
kernel-debuginfo-common-x86_64-4.14.165-102.185.amzn1.x86_64
kernel-tools-devel-4.14.165-102.185.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2020-1338.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU28404
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-19332
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to damange or delete data.
An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way the Linux kernel's KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could use this flaw to crash the system, resulting in a denial of service.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
kernel-debuginfo-common-i686-4.14.165-102.185.amzn1.i686
kernel-debuginfo-4.14.165-102.185.amzn1.i686
kernel-headers-4.14.165-102.185.amzn1.i686
kernel-tools-4.14.165-102.185.amzn1.i686
kernel-devel-4.14.165-102.185.amzn1.i686
perf-debuginfo-4.14.165-102.185.amzn1.i686
kernel-tools-devel-4.14.165-102.185.amzn1.i686
perf-4.14.165-102.185.amzn1.i686
kernel-4.14.165-102.185.amzn1.i686
kernel-tools-debuginfo-4.14.165-102.185.amzn1.i686
src:
kernel-4.14.165-102.185.amzn1.src
x86_64:
kernel-4.14.165-102.185.amzn1.x86_64
kernel-debuginfo-4.14.165-102.185.amzn1.x86_64
kernel-tools-4.14.165-102.185.amzn1.x86_64
kernel-devel-4.14.165-102.185.amzn1.x86_64
perf-debuginfo-4.14.165-102.185.amzn1.x86_64
kernel-headers-4.14.165-102.185.amzn1.x86_64
kernel-tools-debuginfo-4.14.165-102.185.amzn1.x86_64
perf-4.14.165-102.185.amzn1.x86_64
kernel-debuginfo-common-x86_64-4.14.165-102.185.amzn1.x86_64
kernel-tools-devel-4.14.165-102.185.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2020-1338.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.