Amazon Linux AMI update for kernel



Risk Medium
Patch available YES
Number of vulnerabilities 9
CVE-ID CVE-2021-20322
CVE-2021-28711
CVE-2021-28712
CVE-2021-28713
CVE-2021-28714
CVE-2021-28715
CVE-2021-3772
CVE-2021-4002
CVE-2021-4155
CWE-ID CWE-330
CWE-400
CWE-404
CWE-345
CWE-401
CWE-264
Exploitation vector Network
Public exploit N/A
Vulnerable software
Amazon Linux AMI
Operating systems & Components / Operating system

kernel
Operating systems & Components / Operating system package or component

Vendor Amazon Web Services

Security Bulletin

This security bulletin contains information about 9 vulnerabilities.

1) Use of insufficiently random values

EUVDB-ID: #VU63839

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20322

CWE-ID: CWE-330 - Use of Insufficiently Random Values

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to an error when processing received ICMP errors. A remote attacker can effectively bypass the source port UDP randomization to gain access to sensitive information.

Mitigation

Update the affected packages:

i686:
    kernel-tools-debuginfo-4.14.262-135.486.amzn1.i686
    perf-debuginfo-4.14.262-135.486.amzn1.i686
    kernel-headers-4.14.262-135.486.amzn1.i686
    kernel-4.14.262-135.486.amzn1.i686
    kernel-debuginfo-common-i686-4.14.262-135.486.amzn1.i686
    kernel-devel-4.14.262-135.486.amzn1.i686
    kernel-tools-devel-4.14.262-135.486.amzn1.i686
    kernel-debuginfo-4.14.262-135.486.amzn1.i686
    perf-4.14.262-135.486.amzn1.i686
    kernel-tools-4.14.262-135.486.amzn1.i686

src:
    kernel-4.14.262-135.486.amzn1.src

x86_64:
    kernel-debuginfo-4.14.262-135.486.amzn1.x86_64
    kernel-debuginfo-common-x86_64-4.14.262-135.486.amzn1.x86_64
    perf-debuginfo-4.14.262-135.486.amzn1.x86_64
    kernel-4.14.262-135.486.amzn1.x86_64
    kernel-tools-4.14.262-135.486.amzn1.x86_64
    kernel-headers-4.14.262-135.486.amzn1.x86_64
    kernel-tools-devel-4.14.262-135.486.amzn1.x86_64
    perf-4.14.262-135.486.amzn1.x86_64
    kernel-tools-debuginfo-4.14.262-135.486.amzn1.x86_64
    kernel-devel-4.14.262-135.486.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

kernel: before 4.14.262-135.486

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2023-1688.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Resource exhaustion

EUVDB-ID: #VU63563

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-28711

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper limits for number of events driver domains could send to other guest VMs. A local user can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Update the affected packages:

i686:
    kernel-tools-debuginfo-4.14.262-135.486.amzn1.i686
    perf-debuginfo-4.14.262-135.486.amzn1.i686
    kernel-headers-4.14.262-135.486.amzn1.i686
    kernel-4.14.262-135.486.amzn1.i686
    kernel-debuginfo-common-i686-4.14.262-135.486.amzn1.i686
    kernel-devel-4.14.262-135.486.amzn1.i686
    kernel-tools-devel-4.14.262-135.486.amzn1.i686
    kernel-debuginfo-4.14.262-135.486.amzn1.i686
    perf-4.14.262-135.486.amzn1.i686
    kernel-tools-4.14.262-135.486.amzn1.i686

src:
    kernel-4.14.262-135.486.amzn1.src

x86_64:
    kernel-debuginfo-4.14.262-135.486.amzn1.x86_64
    kernel-debuginfo-common-x86_64-4.14.262-135.486.amzn1.x86_64
    perf-debuginfo-4.14.262-135.486.amzn1.x86_64
    kernel-4.14.262-135.486.amzn1.x86_64
    kernel-tools-4.14.262-135.486.amzn1.x86_64
    kernel-headers-4.14.262-135.486.amzn1.x86_64
    kernel-tools-devel-4.14.262-135.486.amzn1.x86_64
    perf-4.14.262-135.486.amzn1.x86_64
    kernel-tools-debuginfo-4.14.262-135.486.amzn1.x86_64
    kernel-devel-4.14.262-135.486.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

kernel: before 4.14.262-135.486

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2023-1688.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Resource exhaustion

EUVDB-ID: #VU63564

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-28712

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper limits for number of events driver domains could send to other guest VMs. A local user can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Update the affected packages:

i686:
    kernel-tools-debuginfo-4.14.262-135.486.amzn1.i686
    perf-debuginfo-4.14.262-135.486.amzn1.i686
    kernel-headers-4.14.262-135.486.amzn1.i686
    kernel-4.14.262-135.486.amzn1.i686
    kernel-debuginfo-common-i686-4.14.262-135.486.amzn1.i686
    kernel-devel-4.14.262-135.486.amzn1.i686
    kernel-tools-devel-4.14.262-135.486.amzn1.i686
    kernel-debuginfo-4.14.262-135.486.amzn1.i686
    perf-4.14.262-135.486.amzn1.i686
    kernel-tools-4.14.262-135.486.amzn1.i686

src:
    kernel-4.14.262-135.486.amzn1.src

x86_64:
    kernel-debuginfo-4.14.262-135.486.amzn1.x86_64
    kernel-debuginfo-common-x86_64-4.14.262-135.486.amzn1.x86_64
    perf-debuginfo-4.14.262-135.486.amzn1.x86_64
    kernel-4.14.262-135.486.amzn1.x86_64
    kernel-tools-4.14.262-135.486.amzn1.x86_64
    kernel-headers-4.14.262-135.486.amzn1.x86_64
    kernel-tools-devel-4.14.262-135.486.amzn1.x86_64
    perf-4.14.262-135.486.amzn1.x86_64
    kernel-tools-debuginfo-4.14.262-135.486.amzn1.x86_64
    kernel-devel-4.14.262-135.486.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

kernel: before 4.14.262-135.486

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2023-1688.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Resource exhaustion

EUVDB-ID: #VU63565

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-28713

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper limits for number of events driver domains could send to other guest VMs. A local user can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Update the affected packages:

i686:
    kernel-tools-debuginfo-4.14.262-135.486.amzn1.i686
    perf-debuginfo-4.14.262-135.486.amzn1.i686
    kernel-headers-4.14.262-135.486.amzn1.i686
    kernel-4.14.262-135.486.amzn1.i686
    kernel-debuginfo-common-i686-4.14.262-135.486.amzn1.i686
    kernel-devel-4.14.262-135.486.amzn1.i686
    kernel-tools-devel-4.14.262-135.486.amzn1.i686
    kernel-debuginfo-4.14.262-135.486.amzn1.i686
    perf-4.14.262-135.486.amzn1.i686
    kernel-tools-4.14.262-135.486.amzn1.i686

src:
    kernel-4.14.262-135.486.amzn1.src

x86_64:
    kernel-debuginfo-4.14.262-135.486.amzn1.x86_64
    kernel-debuginfo-common-x86_64-4.14.262-135.486.amzn1.x86_64
    perf-debuginfo-4.14.262-135.486.amzn1.x86_64
    kernel-4.14.262-135.486.amzn1.x86_64
    kernel-tools-4.14.262-135.486.amzn1.x86_64
    kernel-headers-4.14.262-135.486.amzn1.x86_64
    kernel-tools-devel-4.14.262-135.486.amzn1.x86_64
    perf-4.14.262-135.486.amzn1.x86_64
    kernel-tools-debuginfo-4.14.262-135.486.amzn1.x86_64
    kernel-devel-4.14.262-135.486.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

kernel: before 4.14.262-135.486

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2023-1688.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Improper Resource Shutdown or Release

EUVDB-ID: #VU63583

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-28714

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

Exploit availability: No

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. A remote user can use a UDP connection on a fast interface to trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Update the affected packages:

i686:
    kernel-tools-debuginfo-4.14.262-135.486.amzn1.i686
    perf-debuginfo-4.14.262-135.486.amzn1.i686
    kernel-headers-4.14.262-135.486.amzn1.i686
    kernel-4.14.262-135.486.amzn1.i686
    kernel-debuginfo-common-i686-4.14.262-135.486.amzn1.i686
    kernel-devel-4.14.262-135.486.amzn1.i686
    kernel-tools-devel-4.14.262-135.486.amzn1.i686
    kernel-debuginfo-4.14.262-135.486.amzn1.i686
    perf-4.14.262-135.486.amzn1.i686
    kernel-tools-4.14.262-135.486.amzn1.i686

src:
    kernel-4.14.262-135.486.amzn1.src

x86_64:
    kernel-debuginfo-4.14.262-135.486.amzn1.x86_64
    kernel-debuginfo-common-x86_64-4.14.262-135.486.amzn1.x86_64
    perf-debuginfo-4.14.262-135.486.amzn1.x86_64
    kernel-4.14.262-135.486.amzn1.x86_64
    kernel-tools-4.14.262-135.486.amzn1.x86_64
    kernel-headers-4.14.262-135.486.amzn1.x86_64
    kernel-tools-devel-4.14.262-135.486.amzn1.x86_64
    perf-4.14.262-135.486.amzn1.x86_64
    kernel-tools-debuginfo-4.14.262-135.486.amzn1.x86_64
    kernel-devel-4.14.262-135.486.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

kernel: before 4.14.262-135.486

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2023-1688.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Improper Resource Shutdown or Release

EUVDB-ID: #VU63584

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-28715

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

Exploit availability: No

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. A remote user can use a UDP connection on a fast interface to trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Update the affected packages:

i686:
    kernel-tools-debuginfo-4.14.262-135.486.amzn1.i686
    perf-debuginfo-4.14.262-135.486.amzn1.i686
    kernel-headers-4.14.262-135.486.amzn1.i686
    kernel-4.14.262-135.486.amzn1.i686
    kernel-debuginfo-common-i686-4.14.262-135.486.amzn1.i686
    kernel-devel-4.14.262-135.486.amzn1.i686
    kernel-tools-devel-4.14.262-135.486.amzn1.i686
    kernel-debuginfo-4.14.262-135.486.amzn1.i686
    perf-4.14.262-135.486.amzn1.i686
    kernel-tools-4.14.262-135.486.amzn1.i686

src:
    kernel-4.14.262-135.486.amzn1.src

x86_64:
    kernel-debuginfo-4.14.262-135.486.amzn1.x86_64
    kernel-debuginfo-common-x86_64-4.14.262-135.486.amzn1.x86_64
    perf-debuginfo-4.14.262-135.486.amzn1.x86_64
    kernel-4.14.262-135.486.amzn1.x86_64
    kernel-tools-4.14.262-135.486.amzn1.x86_64
    kernel-headers-4.14.262-135.486.amzn1.x86_64
    kernel-tools-devel-4.14.262-135.486.amzn1.x86_64
    perf-4.14.262-135.486.amzn1.x86_64
    kernel-tools-debuginfo-4.14.262-135.486.amzn1.x86_64
    kernel-devel-4.14.262-135.486.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

kernel: before 4.14.262-135.486

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2023-1688.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Insufficient verification of data authenticity

EUVDB-ID: #VU63835

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-3772

CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service attack (DoS) on the target system.

The vulnerability exists due to insufficient verification of data authenticity in the Linux SCTP stack. A remote attacker can exploit this vulnerability to perform a denial of service attack.

Mitigation

Update the affected packages:

i686:
    kernel-tools-debuginfo-4.14.262-135.486.amzn1.i686
    perf-debuginfo-4.14.262-135.486.amzn1.i686
    kernel-headers-4.14.262-135.486.amzn1.i686
    kernel-4.14.262-135.486.amzn1.i686
    kernel-debuginfo-common-i686-4.14.262-135.486.amzn1.i686
    kernel-devel-4.14.262-135.486.amzn1.i686
    kernel-tools-devel-4.14.262-135.486.amzn1.i686
    kernel-debuginfo-4.14.262-135.486.amzn1.i686
    perf-4.14.262-135.486.amzn1.i686
    kernel-tools-4.14.262-135.486.amzn1.i686

src:
    kernel-4.14.262-135.486.amzn1.src

x86_64:
    kernel-debuginfo-4.14.262-135.486.amzn1.x86_64
    kernel-debuginfo-common-x86_64-4.14.262-135.486.amzn1.x86_64
    perf-debuginfo-4.14.262-135.486.amzn1.x86_64
    kernel-4.14.262-135.486.amzn1.x86_64
    kernel-tools-4.14.262-135.486.amzn1.x86_64
    kernel-headers-4.14.262-135.486.amzn1.x86_64
    kernel-tools-devel-4.14.262-135.486.amzn1.x86_64
    perf-4.14.262-135.486.amzn1.x86_64
    kernel-tools-debuginfo-4.14.262-135.486.amzn1.x86_64
    kernel-devel-4.14.262-135.486.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

kernel: before 4.14.262-135.486

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2023-1688.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Memory leak

EUVDB-ID: #VU63836

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-4002

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due memory leak in the Linux kernel's hugetlbfs memory usage. A local user can force the application to leak memory and gain access to sensitive information.

Mitigation

Update the affected packages:

i686:
    kernel-tools-debuginfo-4.14.262-135.486.amzn1.i686
    perf-debuginfo-4.14.262-135.486.amzn1.i686
    kernel-headers-4.14.262-135.486.amzn1.i686
    kernel-4.14.262-135.486.amzn1.i686
    kernel-debuginfo-common-i686-4.14.262-135.486.amzn1.i686
    kernel-devel-4.14.262-135.486.amzn1.i686
    kernel-tools-devel-4.14.262-135.486.amzn1.i686
    kernel-debuginfo-4.14.262-135.486.amzn1.i686
    perf-4.14.262-135.486.amzn1.i686
    kernel-tools-4.14.262-135.486.amzn1.i686

src:
    kernel-4.14.262-135.486.amzn1.src

x86_64:
    kernel-debuginfo-4.14.262-135.486.amzn1.x86_64
    kernel-debuginfo-common-x86_64-4.14.262-135.486.amzn1.x86_64
    perf-debuginfo-4.14.262-135.486.amzn1.x86_64
    kernel-4.14.262-135.486.amzn1.x86_64
    kernel-tools-4.14.262-135.486.amzn1.x86_64
    kernel-headers-4.14.262-135.486.amzn1.x86_64
    kernel-tools-devel-4.14.262-135.486.amzn1.x86_64
    perf-4.14.262-135.486.amzn1.x86_64
    kernel-tools-debuginfo-4.14.262-135.486.amzn1.x86_64
    kernel-devel-4.14.262-135.486.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

kernel: before 4.14.262-135.486

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2023-1688.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59812

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-4155

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to the OS kernel does not impose correctly security restrictions. A local user can gain access to sensitive information on the system.

Mitigation

Update the affected packages:

i686:
    kernel-tools-debuginfo-4.14.262-135.486.amzn1.i686
    perf-debuginfo-4.14.262-135.486.amzn1.i686
    kernel-headers-4.14.262-135.486.amzn1.i686
    kernel-4.14.262-135.486.amzn1.i686
    kernel-debuginfo-common-i686-4.14.262-135.486.amzn1.i686
    kernel-devel-4.14.262-135.486.amzn1.i686
    kernel-tools-devel-4.14.262-135.486.amzn1.i686
    kernel-debuginfo-4.14.262-135.486.amzn1.i686
    perf-4.14.262-135.486.amzn1.i686
    kernel-tools-4.14.262-135.486.amzn1.i686

src:
    kernel-4.14.262-135.486.amzn1.src

x86_64:
    kernel-debuginfo-4.14.262-135.486.amzn1.x86_64
    kernel-debuginfo-common-x86_64-4.14.262-135.486.amzn1.x86_64
    perf-debuginfo-4.14.262-135.486.amzn1.x86_64
    kernel-4.14.262-135.486.amzn1.x86_64
    kernel-tools-4.14.262-135.486.amzn1.x86_64
    kernel-headers-4.14.262-135.486.amzn1.x86_64
    kernel-tools-devel-4.14.262-135.486.amzn1.x86_64
    perf-4.14.262-135.486.amzn1.x86_64
    kernel-tools-debuginfo-4.14.262-135.486.amzn1.x86_64
    kernel-devel-4.14.262-135.486.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

kernel: before 4.14.262-135.486

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2023-1688.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###