Amazon Linux AMI update for python34, python35
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2016-10739 CVE-2019-18348 CVE-2019-20907 CVE-2019-9740 CVE-2019-9947 |
| CWE-ID | CWE-20 CWE-74 CWE-835 CWE-93 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #4 is available. Public exploit code for vulnerability #5 is available. |
| Vulnerable software Subscribe |
Amazon Linux AMI Operating systems & Components / Operating system |
| Vendor | Amazon Web Services |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU17105
Risk: Low
CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-10739
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to the getaddrinfo() function accepts an IPv4 address followed by whitespace and arbitrary characters and treats his input as a correct IPv4 address. Software that accepts input from the getaddrinfo() function may incorrectly assume that the function return IPv4 address only. As a result, a remote attacker can inject arbitrary data into the IPv4 address and change application's behavior that relies on getaddrinfo() output (e.g., inject HTTP headers or other potentially dangerous strings).
Update the affected packages:
i686:Vulnerable software versions
python34-debuginfo-3.4.10-1.51.amzn1.i686
python34-devel-3.4.10-1.51.amzn1.i686
python34-libs-3.4.10-1.51.amzn1.i686
python34-tools-3.4.10-1.51.amzn1.i686
python34-test-3.4.10-1.51.amzn1.i686
python34-3.4.10-1.51.amzn1.i686
python35-test-3.5.9-1.27.amzn1.i686
python35-debuginfo-3.5.9-1.27.amzn1.i686
python35-libs-3.5.9-1.27.amzn1.i686
python35-devel-3.5.9-1.27.amzn1.i686
python35-tools-3.5.9-1.27.amzn1.i686
python35-3.5.9-1.27.amzn1.i686
src:
python34-3.4.10-1.51.amzn1.src
python35-3.5.9-1.27.amzn1.src
x86_64:
python34-test-3.4.10-1.51.amzn1.x86_64
python34-3.4.10-1.51.amzn1.x86_64
python34-devel-3.4.10-1.51.amzn1.x86_64
python34-libs-3.4.10-1.51.amzn1.x86_64
python34-tools-3.4.10-1.51.amzn1.x86_64
python34-debuginfo-3.4.10-1.51.amzn1.x86_64
python35-devel-3.5.9-1.27.amzn1.x86_64
python35-debuginfo-3.5.9-1.27.amzn1.x86_64
python35-test-3.5.9-1.27.amzn1.x86_64
python35-libs-3.5.9-1.27.amzn1.x86_64
python35-3.5.9-1.27.amzn1.x86_64
python35-tools-3.5.9-1.27.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2020-1429.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) CRLF injection
EUVDB-ID: #VU31958
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-18348
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.)
MitigationUpdate the affected packages:
i686:Vulnerable software versions
python34-debuginfo-3.4.10-1.51.amzn1.i686
python34-devel-3.4.10-1.51.amzn1.i686
python34-libs-3.4.10-1.51.amzn1.i686
python34-tools-3.4.10-1.51.amzn1.i686
python34-test-3.4.10-1.51.amzn1.i686
python34-3.4.10-1.51.amzn1.i686
python35-test-3.5.9-1.27.amzn1.i686
python35-debuginfo-3.5.9-1.27.amzn1.i686
python35-libs-3.5.9-1.27.amzn1.i686
python35-devel-3.5.9-1.27.amzn1.i686
python35-tools-3.5.9-1.27.amzn1.i686
python35-3.5.9-1.27.amzn1.i686
src:
python34-3.4.10-1.51.amzn1.src
python35-3.5.9-1.27.amzn1.src
x86_64:
python34-test-3.4.10-1.51.amzn1.x86_64
python34-3.4.10-1.51.amzn1.x86_64
python34-devel-3.4.10-1.51.amzn1.x86_64
python34-libs-3.4.10-1.51.amzn1.x86_64
python34-tools-3.4.10-1.51.amzn1.x86_64
python34-debuginfo-3.4.10-1.51.amzn1.x86_64
python35-devel-3.5.9-1.27.amzn1.x86_64
python35-debuginfo-3.5.9-1.27.amzn1.x86_64
python35-test-3.5.9-1.27.amzn1.x86_64
python35-libs-3.5.9-1.27.amzn1.x86_64
python35-3.5.9-1.27.amzn1.x86_64
python35-tools-3.5.9-1.27.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2020-1429.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Infinite loop
EUVDB-ID: #VU32881
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-20907
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop In Lib/tarfile.py in Python. A remote attacker can create a specially crafted TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
python34-debuginfo-3.4.10-1.51.amzn1.i686
python34-devel-3.4.10-1.51.amzn1.i686
python34-libs-3.4.10-1.51.amzn1.i686
python34-tools-3.4.10-1.51.amzn1.i686
python34-test-3.4.10-1.51.amzn1.i686
python34-3.4.10-1.51.amzn1.i686
python35-test-3.5.9-1.27.amzn1.i686
python35-debuginfo-3.5.9-1.27.amzn1.i686
python35-libs-3.5.9-1.27.amzn1.i686
python35-devel-3.5.9-1.27.amzn1.i686
python35-tools-3.5.9-1.27.amzn1.i686
python35-3.5.9-1.27.amzn1.i686
src:
python34-3.4.10-1.51.amzn1.src
python35-3.5.9-1.27.amzn1.src
x86_64:
python34-test-3.4.10-1.51.amzn1.x86_64
python34-3.4.10-1.51.amzn1.x86_64
python34-devel-3.4.10-1.51.amzn1.x86_64
python34-libs-3.4.10-1.51.amzn1.x86_64
python34-tools-3.4.10-1.51.amzn1.x86_64
python34-debuginfo-3.4.10-1.51.amzn1.x86_64
python35-devel-3.5.9-1.27.amzn1.x86_64
python35-debuginfo-3.5.9-1.27.amzn1.x86_64
python35-test-3.5.9-1.27.amzn1.x86_64
python35-libs-3.5.9-1.27.amzn1.x86_64
python35-3.5.9-1.27.amzn1.x86_64
python35-tools-3.5.9-1.27.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2020-1429.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) CRLF injection
EUVDB-ID: #VU18829
Risk: Medium
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-9740
CWE-ID:
CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform CRLF injection attacks.
The vulnerability exists within urllib2 implementation for Python 2.x and urllib3 implementation for Python 3.x when processing the path component of a URL after the "?" character within the urllib.request.urlopen() call. A remote attacker with ability to control URL, passed to the application, can use CRLF sequences to split the HTTP request and inject arbitrary HTTP headers into request, made by the application.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
python34-debuginfo-3.4.10-1.51.amzn1.i686
python34-devel-3.4.10-1.51.amzn1.i686
python34-libs-3.4.10-1.51.amzn1.i686
python34-tools-3.4.10-1.51.amzn1.i686
python34-test-3.4.10-1.51.amzn1.i686
python34-3.4.10-1.51.amzn1.i686
python35-test-3.5.9-1.27.amzn1.i686
python35-debuginfo-3.5.9-1.27.amzn1.i686
python35-libs-3.5.9-1.27.amzn1.i686
python35-devel-3.5.9-1.27.amzn1.i686
python35-tools-3.5.9-1.27.amzn1.i686
python35-3.5.9-1.27.amzn1.i686
src:
python34-3.4.10-1.51.amzn1.src
python35-3.5.9-1.27.amzn1.src
x86_64:
python34-test-3.4.10-1.51.amzn1.x86_64
python34-3.4.10-1.51.amzn1.x86_64
python34-devel-3.4.10-1.51.amzn1.x86_64
python34-libs-3.4.10-1.51.amzn1.x86_64
python34-tools-3.4.10-1.51.amzn1.x86_64
python34-debuginfo-3.4.10-1.51.amzn1.x86_64
python35-devel-3.5.9-1.27.amzn1.x86_64
python35-debuginfo-3.5.9-1.27.amzn1.x86_64
python35-test-3.5.9-1.27.amzn1.x86_64
python35-libs-3.5.9-1.27.amzn1.x86_64
python35-3.5.9-1.27.amzn1.x86_64
python35-tools-3.5.9-1.27.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2020-1429.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
5) CRLF injection
EUVDB-ID: #VU18828
Risk: Medium
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-9947
CWE-ID:
CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform CRLF injection attacks.
The vulnerability exists within urllib2 implementation for Python 2.x and urllib3 implementation for Python 3.x when processing the path component of a URL that lacks the "?" character within the urllib.request.urlopen() call. A remote attacker with ability to control URL, passed to the application, can use CRLF sequences to split the HTTP request and inject arbitrary HTTP headers into request, made by the application.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
python34-debuginfo-3.4.10-1.51.amzn1.i686
python34-devel-3.4.10-1.51.amzn1.i686
python34-libs-3.4.10-1.51.amzn1.i686
python34-tools-3.4.10-1.51.amzn1.i686
python34-test-3.4.10-1.51.amzn1.i686
python34-3.4.10-1.51.amzn1.i686
python35-test-3.5.9-1.27.amzn1.i686
python35-debuginfo-3.5.9-1.27.amzn1.i686
python35-libs-3.5.9-1.27.amzn1.i686
python35-devel-3.5.9-1.27.amzn1.i686
python35-tools-3.5.9-1.27.amzn1.i686
python35-3.5.9-1.27.amzn1.i686
src:
python34-3.4.10-1.51.amzn1.src
python35-3.5.9-1.27.amzn1.src
x86_64:
python34-test-3.4.10-1.51.amzn1.x86_64
python34-3.4.10-1.51.amzn1.x86_64
python34-devel-3.4.10-1.51.amzn1.x86_64
python34-libs-3.4.10-1.51.amzn1.x86_64
python34-tools-3.4.10-1.51.amzn1.x86_64
python34-debuginfo-3.4.10-1.51.amzn1.x86_64
python35-devel-3.5.9-1.27.amzn1.x86_64
python35-debuginfo-3.5.9-1.27.amzn1.x86_64
python35-test-3.5.9-1.27.amzn1.x86_64
python35-libs-3.5.9-1.27.amzn1.x86_64
python35-3.5.9-1.27.amzn1.x86_64
python35-tools-3.5.9-1.27.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2020-1429.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
