Amazon Linux AMI update for kernel



Published: 2020-09-03 | Updated: 2020-09-04
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-14386
CWE-ID CWE-787
Exploitation vector Local
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Subscribe
Amazon Linux AMI
Operating systems & Components / Operating system

Vendor Amazon Web Services

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Out-of-bounds write

EUVDB-ID: #VU47051

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-14386

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: Yes

Description

The vulnerability allows a local privileged user to execute arbitrary code.

A flaw was found in the Linux kernel before 5.9-rc4. Memory corruption can be exploited to gain root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity.

Mitigation

Update the affected packages:

i686:
    kernel-tools-devel-4.14.193-113.317.amzn1.i686
    kernel-4.14.193-113.317.amzn1.i686
    kernel-debuginfo-4.14.193-113.317.amzn1.i686
    perf-debuginfo-4.14.193-113.317.amzn1.i686
    perf-4.14.193-113.317.amzn1.i686
    kernel-tools-4.14.193-113.317.amzn1.i686
    kernel-tools-debuginfo-4.14.193-113.317.amzn1.i686
    kernel-debuginfo-common-i686-4.14.193-113.317.amzn1.i686
    kernel-devel-4.14.193-113.317.amzn1.i686
    kernel-headers-4.14.193-113.317.amzn1.i686

src:
    kernel-4.14.193-113.317.amzn1.src

x86_64:
    kernel-tools-4.14.193-113.317.amzn1.x86_64
    kernel-debuginfo-4.14.193-113.317.amzn1.x86_64
    kernel-debuginfo-common-x86_64-4.14.193-113.317.amzn1.x86_64
    kernel-4.14.193-113.317.amzn1.x86_64
    kernel-headers-4.14.193-113.317.amzn1.x86_64
    perf-4.14.193-113.317.amzn1.x86_64
    kernel-tools-devel-4.14.193-113.317.amzn1.x86_64
    perf-debuginfo-4.14.193-113.317.amzn1.x86_64
    kernel-tools-debuginfo-4.14.193-113.317.amzn1.x86_64
    kernel-devel-4.14.193-113.317.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions


CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2020-1430.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###