Amazon Linux AMI update for ImageMagick
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 9 |
| CVE-ID | CVE-2021-20224 CVE-2021-3574 CVE-2021-4219 CVE-2022-28463 CVE-2022-32545 CVE-2022-32546 CVE-2022-32547 CVE-2022-44267 CVE-2022-44268 |
| CWE-ID | CWE-190 CWE-401 CWE-20 CWE-119 CWE-704 CWE-399 CWE-200 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #8 is available. Public exploit code for vulnerability #9 is available. |
| Vulnerable software Subscribe |
Amazon Linux AMI Operating systems & Components / Operating system ImageMagick Operating systems & Components / Operating system package or component |
| Vendor | Amazon Web Services |
Security Bulletin
This security bulletin contains information about 9 vulnerabilities.
1) Integer overflow
EUVDB-ID: #VU67130
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-20224
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow within the ExportIndexQuantum() function in MagickCore/quantum-export.c. A remote attacker can pass specially crafted image data to the application, trigger an integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
ImageMagick-devel-6.9.10.68-3.24.amzn1.i686
ImageMagick-debuginfo-6.9.10.68-3.24.amzn1.i686
ImageMagick-perl-6.9.10.68-3.24.amzn1.i686
ImageMagick-c++-6.9.10.68-3.24.amzn1.i686
ImageMagick-6.9.10.68-3.24.amzn1.i686
ImageMagick-c++-devel-6.9.10.68-3.24.amzn1.i686
ImageMagick-doc-6.9.10.68-3.24.amzn1.i686
src:
ImageMagick-6.9.10.68-3.24.amzn1.src
x86_64:
ImageMagick-c++-devel-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-doc-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-devel-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-perl-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-c++-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-debuginfo-6.9.10.68-3.24.amzn1.x86_64
Amazon Linux AMI: All versions
ImageMagick: before 6.9.10.68-3.24
External linkshttp://alas.aws.amazon.com/ALAS-2023-1696.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Memory leak
EUVDB-ID: #VU68074
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-3574
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due memory leak when executing a crafted file with the convert command. A remote attacker can force the application to leak memory and perform denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
ImageMagick-devel-6.9.10.68-3.24.amzn1.i686
ImageMagick-debuginfo-6.9.10.68-3.24.amzn1.i686
ImageMagick-perl-6.9.10.68-3.24.amzn1.i686
ImageMagick-c++-6.9.10.68-3.24.amzn1.i686
ImageMagick-6.9.10.68-3.24.amzn1.i686
ImageMagick-c++-devel-6.9.10.68-3.24.amzn1.i686
ImageMagick-doc-6.9.10.68-3.24.amzn1.i686
src:
ImageMagick-6.9.10.68-3.24.amzn1.src
x86_64:
ImageMagick-c++-devel-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-doc-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-devel-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-perl-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-c++-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-debuginfo-6.9.10.68-3.24.amzn1.x86_64
Amazon Linux AMI: All versions
ImageMagick: before 6.9.10.68-3.24
External linkshttp://alas.aws.amazon.com/ALAS-2023-1696.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU62856
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-4219
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability occurs due to improper use of open functions. A remote attacker can submit a specially crafted SVG to the application and can cause a denial of service.
Update the affected packages:
i686:Vulnerable software versions
ImageMagick-devel-6.9.10.68-3.24.amzn1.i686
ImageMagick-debuginfo-6.9.10.68-3.24.amzn1.i686
ImageMagick-perl-6.9.10.68-3.24.amzn1.i686
ImageMagick-c++-6.9.10.68-3.24.amzn1.i686
ImageMagick-6.9.10.68-3.24.amzn1.i686
ImageMagick-c++-devel-6.9.10.68-3.24.amzn1.i686
ImageMagick-doc-6.9.10.68-3.24.amzn1.i686
src:
ImageMagick-6.9.10.68-3.24.amzn1.src
x86_64:
ImageMagick-c++-devel-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-doc-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-devel-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-perl-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-c++-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-debuginfo-6.9.10.68-3.24.amzn1.x86_64
Amazon Linux AMI: All versions
ImageMagick: before 6.9.10.68-3.24
External linkshttp://alas.aws.amazon.com/ALAS-2023-1696.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Buffer overflow
EUVDB-ID: #VU62851
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-28463
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing Image files. A remote attacker can pass specially crafted data to the application, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
ImageMagick-devel-6.9.10.68-3.24.amzn1.i686
ImageMagick-debuginfo-6.9.10.68-3.24.amzn1.i686
ImageMagick-perl-6.9.10.68-3.24.amzn1.i686
ImageMagick-c++-6.9.10.68-3.24.amzn1.i686
ImageMagick-6.9.10.68-3.24.amzn1.i686
ImageMagick-c++-devel-6.9.10.68-3.24.amzn1.i686
ImageMagick-doc-6.9.10.68-3.24.amzn1.i686
src:
ImageMagick-6.9.10.68-3.24.amzn1.src
x86_64:
ImageMagick-c++-devel-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-doc-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-devel-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-perl-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-c++-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-debuginfo-6.9.10.68-3.24.amzn1.x86_64
Amazon Linux AMI: All versions
ImageMagick: before 6.9.10.68-3.24
External linkshttp://alas.aws.amazon.com/ALAS-2023-1696.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Integer overflow
EUVDB-ID: #VU64947
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-32545
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to integer overflow in coders/psd.c in the ImageMagick when processing crafted or untrusted input. A remote attacker can trick the victim into opening a specially crafted file and perform a denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
ImageMagick-devel-6.9.10.68-3.24.amzn1.i686
ImageMagick-debuginfo-6.9.10.68-3.24.amzn1.i686
ImageMagick-perl-6.9.10.68-3.24.amzn1.i686
ImageMagick-c++-6.9.10.68-3.24.amzn1.i686
ImageMagick-6.9.10.68-3.24.amzn1.i686
ImageMagick-c++-devel-6.9.10.68-3.24.amzn1.i686
ImageMagick-doc-6.9.10.68-3.24.amzn1.i686
src:
ImageMagick-6.9.10.68-3.24.amzn1.src
x86_64:
ImageMagick-c++-devel-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-doc-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-devel-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-perl-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-c++-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-debuginfo-6.9.10.68-3.24.amzn1.x86_64
Amazon Linux AMI: All versions
ImageMagick: before 6.9.10.68-3.24
External linkshttp://alas.aws.amazon.com/ALAS-2023-1696.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Integer overflow
EUVDB-ID: #VU64948
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-32546
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to integer overflow in coders/pcl.c in the ImageMagick when processing crafted or untrusted input. A remote attacker can trick the victim into opening a specially crafted file and perform a denial of service attack.
Update the affected packages:
i686:Vulnerable software versions
ImageMagick-devel-6.9.10.68-3.24.amzn1.i686
ImageMagick-debuginfo-6.9.10.68-3.24.amzn1.i686
ImageMagick-perl-6.9.10.68-3.24.amzn1.i686
ImageMagick-c++-6.9.10.68-3.24.amzn1.i686
ImageMagick-6.9.10.68-3.24.amzn1.i686
ImageMagick-c++-devel-6.9.10.68-3.24.amzn1.i686
ImageMagick-doc-6.9.10.68-3.24.amzn1.i686
src:
ImageMagick-6.9.10.68-3.24.amzn1.src
x86_64:
ImageMagick-c++-devel-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-doc-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-devel-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-perl-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-c++-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-debuginfo-6.9.10.68-3.24.amzn1.x86_64
Amazon Linux AMI: All versions
ImageMagick: before 6.9.10.68-3.24
External linkshttp://alas.aws.amazon.com/ALAS-2023-1696.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Type conversion
EUVDB-ID: #VU64949
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-32547
CWE-ID:
CWE-704 - Type conversion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a load of misaligned address for type 'double' in MagickCore/property.c. A remote attacker can trick the victim into opening a specially crafted file and perform a denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
ImageMagick-devel-6.9.10.68-3.24.amzn1.i686
ImageMagick-debuginfo-6.9.10.68-3.24.amzn1.i686
ImageMagick-perl-6.9.10.68-3.24.amzn1.i686
ImageMagick-c++-6.9.10.68-3.24.amzn1.i686
ImageMagick-6.9.10.68-3.24.amzn1.i686
ImageMagick-c++-devel-6.9.10.68-3.24.amzn1.i686
ImageMagick-doc-6.9.10.68-3.24.amzn1.i686
src:
ImageMagick-6.9.10.68-3.24.amzn1.src
x86_64:
ImageMagick-c++-devel-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-doc-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-devel-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-perl-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-c++-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-debuginfo-6.9.10.68-3.24.amzn1.x86_64
Amazon Linux AMI: All versions
ImageMagick: before 6.9.10.68-3.24
External linkshttp://alas.aws.amazon.com/ALAS-2023-1696.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Resource management error
EUVDB-ID: #VU72079
Risk: Low
CVSSv3.1: 3.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2022-44267
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources when performing operations on crafted PNG images. A remote attacker can pass specially crafted PNG image to the application and force the application to wait indefinitely for the stdin input, consuming system resources.
Update the affected packages:
i686:Vulnerable software versions
ImageMagick-devel-6.9.10.68-3.24.amzn1.i686
ImageMagick-debuginfo-6.9.10.68-3.24.amzn1.i686
ImageMagick-perl-6.9.10.68-3.24.amzn1.i686
ImageMagick-c++-6.9.10.68-3.24.amzn1.i686
ImageMagick-6.9.10.68-3.24.amzn1.i686
ImageMagick-c++-devel-6.9.10.68-3.24.amzn1.i686
ImageMagick-doc-6.9.10.68-3.24.amzn1.i686
src:
ImageMagick-6.9.10.68-3.24.amzn1.src
x86_64:
ImageMagick-c++-devel-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-doc-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-devel-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-perl-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-c++-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-debuginfo-6.9.10.68-3.24.amzn1.x86_64
Amazon Linux AMI: All versions
ImageMagick: before 6.9.10.68-3.24
External linkshttp://alas.aws.amazon.com/ALAS-2023-1696.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
9) Information disclosure
EUVDB-ID: #VU72078
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2022-44268
CWE-ID:
CWE-200 - Information exposure
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to improper input validation when performing operations (e.g. resizing) on specially crafted PNG images. A remote attacker can pass a specially crafted image to the application and embed contents of other files on the system into the resulting image.
Update the affected packages:
i686:Vulnerable software versions
ImageMagick-devel-6.9.10.68-3.24.amzn1.i686
ImageMagick-debuginfo-6.9.10.68-3.24.amzn1.i686
ImageMagick-perl-6.9.10.68-3.24.amzn1.i686
ImageMagick-c++-6.9.10.68-3.24.amzn1.i686
ImageMagick-6.9.10.68-3.24.amzn1.i686
ImageMagick-c++-devel-6.9.10.68-3.24.amzn1.i686
ImageMagick-doc-6.9.10.68-3.24.amzn1.i686
src:
ImageMagick-6.9.10.68-3.24.amzn1.src
x86_64:
ImageMagick-c++-devel-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-doc-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-devel-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-perl-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-c++-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-6.9.10.68-3.24.amzn1.x86_64
ImageMagick-debuginfo-6.9.10.68-3.24.amzn1.x86_64
Amazon Linux AMI: All versions
ImageMagick: before 6.9.10.68-3.24
External linkshttp://alas.aws.amazon.com/ALAS-2023-1696.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
