Amazon Linux AMI update for gcc
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2022-27943 |
| CWE-ID | CWE-400 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Amazon Linux AMI Operating systems & Components / Operating system gcc Operating systems & Components / Operating system package or component |
| Vendor | Amazon Web Services |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Resource exhaustion
EUVDB-ID: #VU72528
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-27943
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within demangle_const in libiberty/rust-demangle.c. A local user can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
libtsan-11.3.1-4.amzn2023.0.3.aarch64
gcc-debuginfo-11.3.1-4.amzn2023.0.3.aarch64
libasan-11.3.1-4.amzn2023.0.3.aarch64
libgccjit-devel-11.3.1-4.amzn2023.0.3.aarch64
cpp-11.3.1-4.amzn2023.0.3.aarch64
libgomp-debuginfo-11.3.1-4.amzn2023.0.3.aarch64
libasan-static-11.3.1-4.amzn2023.0.3.aarch64
liblsan-debuginfo-11.3.1-4.amzn2023.0.3.aarch64
gcc-gdb-plugin-debuginfo-11.3.1-4.amzn2023.0.3.aarch64
gcc-11.3.1-4.amzn2023.0.3.aarch64
gcc-gdb-plugin-11.3.1-4.amzn2023.0.3.aarch64
libstdc++-static-11.3.1-4.amzn2023.0.3.aarch64
libgcc-11.3.1-4.amzn2023.0.3.aarch64
libatomic-11.3.1-4.amzn2023.0.3.aarch64
libubsan-static-11.3.1-4.amzn2023.0.3.aarch64
libubsan-11.3.1-4.amzn2023.0.3.aarch64
libatomic-debuginfo-11.3.1-4.amzn2023.0.3.aarch64
libgomp-11.3.1-4.amzn2023.0.3.aarch64
libgccjit-11.3.1-4.amzn2023.0.3.aarch64
libgcc-debuginfo-11.3.1-4.amzn2023.0.3.aarch64
gcc-gfortran-11.3.1-4.amzn2023.0.3.aarch64
libitm-static-11.3.1-4.amzn2023.0.3.aarch64
libgfortran-static-11.3.1-4.amzn2023.0.3.aarch64
gcc-c++-11.3.1-4.amzn2023.0.3.aarch64
libitm-debuginfo-11.3.1-4.amzn2023.0.3.aarch64
gcc-gfortran-debuginfo-11.3.1-4.amzn2023.0.3.aarch64
libgccjit-debuginfo-11.3.1-4.amzn2023.0.3.aarch64
liblsan-static-11.3.1-4.amzn2023.0.3.aarch64
libtsan-static-11.3.1-4.amzn2023.0.3.aarch64
cpp-debuginfo-11.3.1-4.amzn2023.0.3.aarch64
libgfortran-11.3.1-4.amzn2023.0.3.aarch64
libtsan-debuginfo-11.3.1-4.amzn2023.0.3.aarch64
liblsan-11.3.1-4.amzn2023.0.3.aarch64
gcc-plugin-devel-11.3.1-4.amzn2023.0.3.aarch64
libasan-debuginfo-11.3.1-4.amzn2023.0.3.aarch64
gcc-c++-debuginfo-11.3.1-4.amzn2023.0.3.aarch64
libstdc++-debuginfo-11.3.1-4.amzn2023.0.3.aarch64
libubsan-debuginfo-11.3.1-4.amzn2023.0.3.aarch64
libstdc++-devel-11.3.1-4.amzn2023.0.3.aarch64
gcc-plugin-devel-debuginfo-11.3.1-4.amzn2023.0.3.aarch64
libitm-11.3.1-4.amzn2023.0.3.aarch64
libgfortran-debuginfo-11.3.1-4.amzn2023.0.3.aarch64
libstdc++-11.3.1-4.amzn2023.0.3.aarch64
libatomic-static-11.3.1-4.amzn2023.0.3.aarch64
libitm-devel-11.3.1-4.amzn2023.0.3.aarch64
gcc-debugsource-11.3.1-4.amzn2023.0.3.aarch64
libstdc++-docs-11.3.1-4.amzn2023.0.3.aarch64
src:
gcc-11.3.1-4.amzn2023.0.3.src
x86_64:
gcc-debuginfo-11.3.1-4.amzn2023.0.3.x86_64
libstdc++-static-11.3.1-4.amzn2023.0.3.x86_64
liblsan-static-11.3.1-4.amzn2023.0.3.x86_64
libtsan-11.3.1-4.amzn2023.0.3.x86_64
libasan-11.3.1-4.amzn2023.0.3.x86_64
libubsan-static-11.3.1-4.amzn2023.0.3.x86_64
libasan-static-11.3.1-4.amzn2023.0.3.x86_64
libgccjit-11.3.1-4.amzn2023.0.3.x86_64
cpp-11.3.1-4.amzn2023.0.3.x86_64
gcc-11.3.1-4.amzn2023.0.3.x86_64
libgccjit-devel-11.3.1-4.amzn2023.0.3.x86_64
cpp-debuginfo-11.3.1-4.amzn2023.0.3.x86_64
libgomp-debuginfo-11.3.1-4.amzn2023.0.3.x86_64
libstdc++-devel-11.3.1-4.amzn2023.0.3.x86_64
gcc-plugin-devel-11.3.1-4.amzn2023.0.3.x86_64
libtsan-debuginfo-11.3.1-4.amzn2023.0.3.x86_64
gcc-c++-11.3.1-4.amzn2023.0.3.x86_64
libasan-debuginfo-11.3.1-4.amzn2023.0.3.x86_64
libubsan-debuginfo-11.3.1-4.amzn2023.0.3.x86_64
gcc-gdb-plugin-debuginfo-11.3.1-4.amzn2023.0.3.x86_64
gcc-offload-nvptx-11.3.1-4.amzn2023.0.3.x86_64
libgccjit-debuginfo-11.3.1-4.amzn2023.0.3.x86_64
libgfortran-static-11.3.1-4.amzn2023.0.3.x86_64
gcc-gfortran-11.3.1-4.amzn2023.0.3.x86_64
gcc-gfortran-debuginfo-11.3.1-4.amzn2023.0.3.x86_64
liblsan-debuginfo-11.3.1-4.amzn2023.0.3.x86_64
libgfortran-debuginfo-11.3.1-4.amzn2023.0.3.x86_64
libstdc++-debuginfo-11.3.1-4.amzn2023.0.3.x86_64
gcc-c++-debuginfo-11.3.1-4.amzn2023.0.3.x86_64
libitm-debuginfo-11.3.1-4.amzn2023.0.3.x86_64
gcc-offload-nvptx-debuginfo-11.3.1-4.amzn2023.0.3.x86_64
libstdc++-11.3.1-4.amzn2023.0.3.x86_64
libgfortran-11.3.1-4.amzn2023.0.3.x86_64
gcc-debugsource-11.3.1-4.amzn2023.0.3.x86_64
libtsan-static-11.3.1-4.amzn2023.0.3.x86_64
libstdc++-docs-11.3.1-4.amzn2023.0.3.x86_64
libquadmath-static-11.3.1-4.amzn2023.0.3.x86_64
libquadmath-debuginfo-11.3.1-4.amzn2023.0.3.x86_64
gcc-plugin-devel-debuginfo-11.3.1-4.amzn2023.0.3.x86_64
libgomp-11.3.1-4.amzn2023.0.3.x86_64
liblsan-11.3.1-4.amzn2023.0.3.x86_64
libubsan-11.3.1-4.amzn2023.0.3.x86_64
libgcc-debuginfo-11.3.1-4.amzn2023.0.3.x86_64
libquadmath-11.3.1-4.amzn2023.0.3.x86_64
gcc-gdb-plugin-11.3.1-4.amzn2023.0.3.x86_64
libitm-static-11.3.1-4.amzn2023.0.3.x86_64
libgcc-11.3.1-4.amzn2023.0.3.x86_64
libitm-11.3.1-4.amzn2023.0.3.x86_64
libatomic-static-11.3.1-4.amzn2023.0.3.x86_64
libgomp-offload-nvptx-debuginfo-11.3.1-4.amzn2023.0.3.x86_64
libatomic-debuginfo-11.3.1-4.amzn2023.0.3.x86_64
libgomp-offload-nvptx-11.3.1-4.amzn2023.0.3.x86_64
libatomic-11.3.1-4.amzn2023.0.3.x86_64
libquadmath-devel-11.3.1-4.amzn2023.0.3.x86_64
libitm-devel-11.3.1-4.amzn2023.0.3.x86_64
Amazon Linux AMI: All versions
gcc: All versions
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*
- cpe:2.3:a:amazon_web_services:gcc:*:*:*:*:*:amazon_linux_ami:*:*
https://alas.aws.amazon.com/AL2023/ALAS-2023-145.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
