Amazon Linux AMI update for php8.1



Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2023-3247
CWE-ID CWE-330
Exploitation vector Network
Public exploit N/A
Vulnerable software
 Amazon Linux AMI
Operating systems & Components / Operating system

php8.1
Operating systems & Components / Operating system package or component

Vendor Amazon Web Services

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Use of insufficiently random values

EUVDB-ID: #VU77112

Risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-3247

CWE-ID: CWE-330 - Use of Insufficiently Random Values

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to a missing error check and insufficient random bytes in HTTP Digest authentication for SOAP. A remote attacker can perform a brute-force attack and bypass authentication process.

Mitigation

Update the affected packages:

aarch64:
    php8.1-opcache-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-cli-debuginfo-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-dbg-debuginfo-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-tidy-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-fpm-debuginfo-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-odbc-debuginfo-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-pspell-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-gd-debuginfo-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-enchant-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-opcache-debuginfo-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-debuginfo-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-snmp-debuginfo-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-dbg-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-debugsource-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-mysqlnd-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-odbc-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-ldap-debuginfo-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-mbstring-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-ldap-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-xml-debuginfo-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-devel-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-pdo-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-snmp-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-dba-debuginfo-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-pdo-debuginfo-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-bcmath-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-soap-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-intl-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-intl-debuginfo-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-pgsql-debuginfo-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-fpm-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-gd-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-soap-debuginfo-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-cli-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-process-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-embedded-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-pgsql-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-dba-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-process-debuginfo-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-mysqlnd-debuginfo-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-ffi-debuginfo-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-gmp-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-ffi-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-xml-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-common-debuginfo-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-mbstring-debuginfo-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-embedded-debuginfo-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-common-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-tidy-debuginfo-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-gmp-debuginfo-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-bcmath-debuginfo-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-enchant-debuginfo-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-pspell-debuginfo-8.1.22-1.amzn2023.0.1.aarch64
    php8.1-8.1.22-1.amzn2023.0.1.aarch64

src:
    php8.1-8.1.22-1.amzn2023.0.1.src

x86_64:
    php8.1-fpm-debuginfo-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-intl-debuginfo-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-common-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-intl-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-ldap-debuginfo-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-mysqlnd-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-mbstring-debuginfo-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-soap-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-pgsql-debuginfo-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-dba-debuginfo-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-pdo-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-snmp-debuginfo-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-pdo-debuginfo-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-pgsql-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-cli-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-embedded-debuginfo-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-gd-debuginfo-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-debugsource-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-opcache-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-ffi-debuginfo-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-process-debuginfo-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-cli-debuginfo-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-embedded-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-debuginfo-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-fpm-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-soap-debuginfo-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-opcache-debuginfo-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-xml-debuginfo-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-mbstring-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-mysqlnd-debuginfo-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-common-debuginfo-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-odbc-debuginfo-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-dbg-debuginfo-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-devel-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-dbg-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-xml-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-ffi-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-tidy-debuginfo-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-gmp-debuginfo-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-bcmath-debuginfo-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-process-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-gd-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-odbc-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-ldap-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-gmp-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-bcmath-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-dba-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-tidy-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-snmp-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-enchant-debuginfo-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-pspell-debuginfo-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-enchant-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-pspell-8.1.22-1.amzn2023.0.1.x86_64
    php8.1-8.1.22-1.amzn2023.0.1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

php8.1: All versions

CPE2.3 External links

https://alas.aws.amazon.com/AL2023/ALAS-2023-303.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###