Docker amazonlinux:2.0.20200304.0

Vulnerabilities

75 via 75 paths

Dependencies

104

Source

Group 6 Copy Created with Sketch. Docker

Target OS

amzn:2
Test your Docker Hub image against our market leading vulnerability database Sign up for free
Severity
  • 15
  • 57
  • 3
Status
  • 75
  • 0
  • 0

high severity

ALAS2-2021-1655

  • Vulnerable module: glib2
  • Introduced through: glib2@2.56.1-4.amzn2
  • Fixed in: 2.56.1-9.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* glib2@2.56.1-4.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream glib2 package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2021-27219: An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption. 1929858: CVE-2021-27219 glib: integer overflow in g_bytes_new function on 64-bit platforms due to an implicit cast from 64 bits to 32 bits

Remediation

Upgrade Amzn:2 glib2 to version 2.56.1-9.amzn2.0.1 or higher.

References

high severity

ALAS2-2021-1599

  • Vulnerable module: glibc
  • Introduced through: glibc@2.26-34.amzn2
  • Fixed in: 2.26-40.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* glibc@2.26-34.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-25013: A flaw was found in glibc. When processing input in the EUC-KR encoding, an invalid input sequence could cause glibc to read beyond the end of a buffer, resulting in a segmentation fault. The highest threat from this vulnerability is to system availability. 1912960: CVE-2019-25013 glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding

Remediation

Upgrade Amzn:2 glibc to version 2.26-40.amzn2 or higher.

References

high severity

ALAS2-2021-1605

  • Vulnerable module: glibc
  • Introduced through: glibc@2.26-34.amzn2
  • Fixed in: 2.26-41.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* glibc@2.26-34.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-6096: 1820331: CVE-2020-6096 glibc: signed comparison vulnerability in the ARMv7 memcpy function A signed comparison vulnerability was found in GNU libc in the ARMv7 implementation of memcpy(). The flaw affects the third argument to memcpy() that specifies the number of bytes to copy. An underflow on the third argument could lead to undefined behavior such as out-of-bounds memory write and potentially remote code execution. CVE-2020-29562: A denial of service flaw was found in the way glibc's iconv function handled UCS4 text containing an irreversible character. This flaw causes an application compiled with glibc and using the vulnerable function to terminate with an assertion, resulting in a denial of service. The highest threat from this vulnerability is to system availability. 1905217: CVE-2020-29562 glibc: assertion failure in iconv when converting invalid UCS4 CVE-2019-25013: A flaw was found in glibc. When processing input in the EUC-KR encoding, an invalid input sequence could cause glibc to read beyond the end of a buffer, resulting in a segmentation fault. The highest threat from this vulnerability is to system availability. 1912960: CVE-2019-25013 glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding CVE-2016-10228: 1428290: CVE-2016-10228 glibc: iconv program can hang when invoked with the -c option The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.

Remediation

Upgrade Amzn:2 glibc to version 2.26-41.amzn2 or higher.

References

high severity

ALAS2-2021-1599

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.26-34.amzn2
  • Fixed in: 2.26-40.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* glibc-common@2.26-34.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc-common package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-25013: A flaw was found in glibc. When processing input in the EUC-KR encoding, an invalid input sequence could cause glibc to read beyond the end of a buffer, resulting in a segmentation fault. The highest threat from this vulnerability is to system availability. 1912960: CVE-2019-25013 glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding

Remediation

Upgrade Amzn:2 glibc-common to version 2.26-40.amzn2 or higher.

References

high severity

ALAS2-2021-1605

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.26-34.amzn2
  • Fixed in: 2.26-41.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* glibc-common@2.26-34.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc-common package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-6096: 1820331: CVE-2020-6096 glibc: signed comparison vulnerability in the ARMv7 memcpy function A signed comparison vulnerability was found in GNU libc in the ARMv7 implementation of memcpy(). The flaw affects the third argument to memcpy() that specifies the number of bytes to copy. An underflow on the third argument could lead to undefined behavior such as out-of-bounds memory write and potentially remote code execution. CVE-2020-29562: A denial of service flaw was found in the way glibc's iconv function handled UCS4 text containing an irreversible character. This flaw causes an application compiled with glibc and using the vulnerable function to terminate with an assertion, resulting in a denial of service. The highest threat from this vulnerability is to system availability. 1905217: CVE-2020-29562 glibc: assertion failure in iconv when converting invalid UCS4 CVE-2019-25013: A flaw was found in glibc. When processing input in the EUC-KR encoding, an invalid input sequence could cause glibc to read beyond the end of a buffer, resulting in a segmentation fault. The highest threat from this vulnerability is to system availability. 1912960: CVE-2019-25013 glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding CVE-2016-10228: 1428290: CVE-2016-10228 glibc: iconv program can hang when invoked with the -c option The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.

Remediation

Upgrade Amzn:2 glibc-common to version 2.26-41.amzn2 or higher.

References

high severity

ALAS2-2021-1599

  • Vulnerable module: glibc-langpack-en
  • Introduced through: glibc-langpack-en@2.26-34.amzn2
  • Fixed in: 2.26-40.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* glibc-langpack-en@2.26-34.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc-langpack-en package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-25013: A flaw was found in glibc. When processing input in the EUC-KR encoding, an invalid input sequence could cause glibc to read beyond the end of a buffer, resulting in a segmentation fault. The highest threat from this vulnerability is to system availability. 1912960: CVE-2019-25013 glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding

Remediation

Upgrade Amzn:2 glibc-langpack-en to version 2.26-40.amzn2 or higher.

References

high severity

ALAS2-2021-1605

  • Vulnerable module: glibc-langpack-en
  • Introduced through: glibc-langpack-en@2.26-34.amzn2
  • Fixed in: 2.26-41.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* glibc-langpack-en@2.26-34.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc-langpack-en package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-6096: 1820331: CVE-2020-6096 glibc: signed comparison vulnerability in the ARMv7 memcpy function A signed comparison vulnerability was found in GNU libc in the ARMv7 implementation of memcpy(). The flaw affects the third argument to memcpy() that specifies the number of bytes to copy. An underflow on the third argument could lead to undefined behavior such as out-of-bounds memory write and potentially remote code execution. CVE-2020-29562: A denial of service flaw was found in the way glibc's iconv function handled UCS4 text containing an irreversible character. This flaw causes an application compiled with glibc and using the vulnerable function to terminate with an assertion, resulting in a denial of service. The highest threat from this vulnerability is to system availability. 1905217: CVE-2020-29562 glibc: assertion failure in iconv when converting invalid UCS4 CVE-2019-25013: A flaw was found in glibc. When processing input in the EUC-KR encoding, an invalid input sequence could cause glibc to read beyond the end of a buffer, resulting in a segmentation fault. The highest threat from this vulnerability is to system availability. 1912960: CVE-2019-25013 glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding CVE-2016-10228: 1428290: CVE-2016-10228 glibc: iconv program can hang when invoked with the -c option The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.

Remediation

Upgrade Amzn:2 glibc-langpack-en to version 2.26-41.amzn2 or higher.

References

high severity

ALAS2-2021-1599

  • Vulnerable module: glibc-minimal-langpack
  • Introduced through: glibc-minimal-langpack@2.26-34.amzn2
  • Fixed in: 2.26-40.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* glibc-minimal-langpack@2.26-34.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc-minimal-langpack package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-25013: A flaw was found in glibc. When processing input in the EUC-KR encoding, an invalid input sequence could cause glibc to read beyond the end of a buffer, resulting in a segmentation fault. The highest threat from this vulnerability is to system availability. 1912960: CVE-2019-25013 glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding

Remediation

Upgrade Amzn:2 glibc-minimal-langpack to version 2.26-40.amzn2 or higher.

References

high severity

ALAS2-2021-1605

  • Vulnerable module: glibc-minimal-langpack
  • Introduced through: glibc-minimal-langpack@2.26-34.amzn2
  • Fixed in: 2.26-41.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* glibc-minimal-langpack@2.26-34.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc-minimal-langpack package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-6096: 1820331: CVE-2020-6096 glibc: signed comparison vulnerability in the ARMv7 memcpy function A signed comparison vulnerability was found in GNU libc in the ARMv7 implementation of memcpy(). The flaw affects the third argument to memcpy() that specifies the number of bytes to copy. An underflow on the third argument could lead to undefined behavior such as out-of-bounds memory write and potentially remote code execution. CVE-2020-29562: A denial of service flaw was found in the way glibc's iconv function handled UCS4 text containing an irreversible character. This flaw causes an application compiled with glibc and using the vulnerable function to terminate with an assertion, resulting in a denial of service. The highest threat from this vulnerability is to system availability. 1905217: CVE-2020-29562 glibc: assertion failure in iconv when converting invalid UCS4 CVE-2019-25013: A flaw was found in glibc. When processing input in the EUC-KR encoding, an invalid input sequence could cause glibc to read beyond the end of a buffer, resulting in a segmentation fault. The highest threat from this vulnerability is to system availability. 1912960: CVE-2019-25013 glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding CVE-2016-10228: 1428290: CVE-2016-10228 glibc: iconv program can hang when invoked with the -c option The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.

Remediation

Upgrade Amzn:2 glibc-minimal-langpack to version 2.26-41.amzn2 or higher.

References

high severity

ALAS2-2021-1599

  • Vulnerable module: libcrypt
  • Introduced through: libcrypt@2.26-34.amzn2
  • Fixed in: 2.26-40.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* libcrypt@2.26-34.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream libcrypt package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-25013: A flaw was found in glibc. When processing input in the EUC-KR encoding, an invalid input sequence could cause glibc to read beyond the end of a buffer, resulting in a segmentation fault. The highest threat from this vulnerability is to system availability. 1912960: CVE-2019-25013 glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding

Remediation

Upgrade Amzn:2 libcrypt to version 2.26-40.amzn2 or higher.

References

high severity

ALAS2-2021-1605

  • Vulnerable module: libcrypt
  • Introduced through: libcrypt@2.26-34.amzn2
  • Fixed in: 2.26-41.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* libcrypt@2.26-34.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream libcrypt package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-6096: 1820331: CVE-2020-6096 glibc: signed comparison vulnerability in the ARMv7 memcpy function A signed comparison vulnerability was found in GNU libc in the ARMv7 implementation of memcpy(). The flaw affects the third argument to memcpy() that specifies the number of bytes to copy. An underflow on the third argument could lead to undefined behavior such as out-of-bounds memory write and potentially remote code execution. CVE-2020-29562: A denial of service flaw was found in the way glibc's iconv function handled UCS4 text containing an irreversible character. This flaw causes an application compiled with glibc and using the vulnerable function to terminate with an assertion, resulting in a denial of service. The highest threat from this vulnerability is to system availability. 1905217: CVE-2020-29562 glibc: assertion failure in iconv when converting invalid UCS4 CVE-2019-25013: A flaw was found in glibc. When processing input in the EUC-KR encoding, an invalid input sequence could cause glibc to read beyond the end of a buffer, resulting in a segmentation fault. The highest threat from this vulnerability is to system availability. 1912960: CVE-2019-25013 glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding CVE-2016-10228: 1428290: CVE-2016-10228 glibc: iconv program can hang when invoked with the -c option The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.

Remediation

Upgrade Amzn:2 libcrypt to version 2.26-41.amzn2 or higher.

References

high severity

ALAS2-2020-1445

  • Vulnerable module: libnghttp2
  • Introduced through: libnghttp2@1.39.2-1.amzn2
  • Fixed in: 1.41.0-1.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* libnghttp2@1.39.2-1.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream libnghttp2 package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-11080: In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection. 1844929: CVE-2020-11080 nghttp2: overly large SETTINGS frames can lead to DoS

Remediation

Upgrade Amzn:2 libnghttp2 to version 1.41.0-1.amzn2 or higher.

References

high severity

ALAS2-2020-1466

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.amzn2.3.3
  • Fixed in: 2.9.1-6.amzn2.4.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* libxml2@2.9.1-6.amzn2.3.3

NVD Description

Note: Versions mentioned in the description apply to the upstream libxml2 package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-14567: libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251. 1619875: CVE-2018-14567 libxml2: Infinite loop caused by incorrect error detection during LZMA decompression CVE-2018-14404: 1595985: CVE-2018-14404 libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application. CVE-2017-18258: The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file. 1566749: CVE-2017-18258 libxml2: Unrestricted memory usage in xz_head() function in xzlib.c CVE-2017-15412: Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1523128: CVE-2017-15412 libxml2: Use after free in xmlXPathCompOpEvalPositionalPredicate() function in xpath.c CVE-2016-5131: Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. 1358641: CVE-2016-5131 libxml2: Use after free triggered by XPointer paths beginning with range-to CVE-2015-8035: 1277146: CVE-2015-8035 libxml2: DoS caused by incorrect error detection during XZ decompression The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.

Remediation

Upgrade Amzn:2 libxml2 to version 2.9.1-6.amzn2.4.1 or higher.

References

high severity

ALAS2-2020-1406

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.2k-19.amzn2.0.1
  • Fixed in: 1:1.0.2k-19.amzn2.0.3

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* openssl-libs@1:1.0.2k-19.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl-libs package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-1563: In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). 1752100: CVE-2019-1563 openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey CVE-2019-1547: Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). 1752090: CVE-2019-1547 openssl: side-channel weak encryption vulnerability

Remediation

Upgrade Amzn:2 openssl-libs to version 1:1.0.2k-19.amzn2.0.3 or higher.

References

high severity

ALAS2-2020-1573

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.2k-19.amzn2.0.1
  • Fixed in: 1:1.0.2k-19.amzn2.0.4

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* openssl-libs@1:1.0.2k-19.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl-libs package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-1971: 1903409: CVE-2020-1971 openssl: EDIPARTYNAME NULL pointer de-reference A null pointer dereference flaw was found in openssl. A remote attacker, able to control the arguments of the GENERAL_NAME_cmp function, could cause the application, compiled with openssl to crash resulting in a denial of service. The highest threat from this vulnerability is to system availability.

Remediation

Upgrade Amzn:2 openssl-libs to version 1:1.0.2k-19.amzn2.0.4 or higher.

References

medium severity

ALAS2-2020-1503

  • Vulnerable module: bash
  • Introduced through: bash@4.2.46-33.amzn2
  • Fixed in: 4.2.46-34.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* bash@4.2.46-33.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream bash package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-9924: 1691774: CVE-2019-9924 bash: BASH_CMD is writable in restricted bash shells rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.

Remediation

Upgrade Amzn:2 bash to version 4.2.46-34.amzn2 or higher.

References

medium severity

ALAS2-2020-1505

  • Vulnerable module: cpio
  • Introduced through: cpio@2.11-27.amzn2
  • Fixed in: 2.11-28.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* cpio@2.11-27.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream cpio package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-14866: 1765511: CVE-2019-14866 cpio: improper input validation when writing tar header fields leads to unexpect tar generation It was discovered cpio does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.

Remediation

Upgrade Amzn:2 cpio to version 2.11-28.amzn2 or higher.

References

medium severity

ALAS2-2020-1451

  • Vulnerable module: curl
  • Introduced through: curl@7.61.1-12.amzn2.0.1
  • Fixed in: 7.61.1-12.amzn2.0.2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* curl@7.61.1-12.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-8177: No description is available for this CVE. 1847915: CVE-2020-8177 curl: command line arguments lead to local file overwrite

Remediation

Upgrade Amzn:2 curl to version 7.61.1-12.amzn2.0.2 or higher.

References

medium severity

ALAS2-2021-1653

  • Vulnerable module: curl
  • Introduced through: curl@7.61.1-12.amzn2.0.1
  • Fixed in: 7.61.1-12.amzn2.0.4

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* curl@7.61.1-12.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2021-22898: A vulnerability was found in curl where a flaw in the option parser for sending NEW_ENV variables libcurl can pass uninitialized data from a stack-based buffer to the server. This issue leads to potentially revealing sensitive internal information to the server using a clear-text network protocol. The highest threat from this vulnerability is to confidentiality. 1964887: CVE-2021-22898 curl: TELNET stack contents disclosure CVE-2021-22876: 1941964: CVE-2021-22876 curl: Leak of authentication credentials in URL via automatic Referer It was discovered that libcurl did not remove authentication credentials from URLs when automatically populating the Referer HTTP request header while handling HTTP redirects. This could lead to exposure of the credentials to the server to which requests were redirected.

Remediation

Upgrade Amzn:2 curl to version 7.61.1-12.amzn2.0.4 or higher.

References

medium severity

ALAS2-2020-1513

  • Vulnerable module: expat
  • Introduced through: expat@2.1.0-10.amzn2.0.2
  • Fixed in: 2.1.0-12.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* expat@2.1.0-10.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply to the upstream expat package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-15903: In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. 1752592: CVE-2019-15903 expat: heap-based buffer over-read via crafted XML input CVE-2018-20843: It was discovered that the "setElementTypePrefix()" function incorrectly extracted XML namespace prefixes. By tricking an application into processing a specially crafted XML file, an attacker could cause unusually high consumption of memory resources and possibly lead to a denial of service. 1723723: CVE-2018-20843 expat: large number of colons in input makes parser consume high amount of resources, leading to DoS

Remediation

Upgrade Amzn:2 expat to version 2.1.0-12.amzn2 or higher.

References

medium severity

ALAS2-2020-1553

  • Vulnerable module: glib2
  • Introduced through: glib2@2.56.1-4.amzn2
  • Fixed in: 2.56.1-7.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* glib2@2.56.1-4.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream glib2 package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-12450: file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used. 1719141: CVE-2019-12450 glib2: file_copy_fallback in gio/gfile.c in GNOME GLib does not properly restrict file permissions while a copy operation is in progress 1719141: CVE-2019-12450 glib2: file_copy_fallback in gio/gfile.c in GNOME GLib does not properly restrict file permissions while a copy operation is in progress

Remediation

Upgrade Amzn:2 glib2 to version 2.56.1-7.amzn2.0.1 or higher.

References

medium severity

ALAS2-2020-1517

  • Vulnerable module: glibc
  • Introduced through: glibc@2.26-34.amzn2
  • Fixed in: 2.26-36.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* glibc@2.26-34.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2016-10739: In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings. 1347549: CVE-2016-10739 glibc: getaddrinfo should reject IP addresses with trailing characters

Remediation

Upgrade Amzn:2 glibc to version 2.26-36.amzn2 or higher.

References

medium severity

ALAS2-2021-1615

  • Vulnerable module: glibc
  • Introduced through: glibc@2.26-34.amzn2
  • Fixed in: 2.26-42.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* glibc@2.26-34.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2021-3326: 1921916: CVE-2021-3326 glibc: Assertion failure in ISO-2022-JP-3 gconv module related to combining characters A flaw was found in glibc's iconv() functionality. This flaw allows an attacker capable of supplying a crafted sequence of characters to an application using iconv() to convert from ISO-2022-JP-3 to cause an assertion failure. The highest threat from this vulnerability is to system availability.

Remediation

Upgrade Amzn:2 glibc to version 2.26-42.amzn2 or higher.

References

medium severity

ALAS2-2021-1656

  • Vulnerable module: glibc
  • Introduced through: glibc@2.26-34.amzn2
  • Fixed in: 2.26-47.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* glibc@2.26-34.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-27618: 1893708: CVE-2020-27618 glibc: iconv when processing invalid multi-byte input sequences fails to advance the input state, which could result in an infinite loop A flaw was found in glibc. If an attacker provides the iconv function with invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, IBM1399 encodings, it fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service. CVE-2019-9169: 1684057: CVE-2019-9169 glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.

Remediation

Upgrade Amzn:2 glibc to version 2.26-47.amzn2 or higher.

References

medium severity

ALAS2-2020-1517

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.26-34.amzn2
  • Fixed in: 2.26-36.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* glibc-common@2.26-34.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc-common package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2016-10739: In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings. 1347549: CVE-2016-10739 glibc: getaddrinfo should reject IP addresses with trailing characters

Remediation

Upgrade Amzn:2 glibc-common to version 2.26-36.amzn2 or higher.

References

medium severity

ALAS2-2021-1615

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.26-34.amzn2
  • Fixed in: 2.26-42.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* glibc-common@2.26-34.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc-common package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2021-3326: 1921916: CVE-2021-3326 glibc: Assertion failure in ISO-2022-JP-3 gconv module related to combining characters A flaw was found in glibc's iconv() functionality. This flaw allows an attacker capable of supplying a crafted sequence of characters to an application using iconv() to convert from ISO-2022-JP-3 to cause an assertion failure. The highest threat from this vulnerability is to system availability.

Remediation

Upgrade Amzn:2 glibc-common to version 2.26-42.amzn2 or higher.

References

medium severity

ALAS2-2021-1656

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.26-34.amzn2
  • Fixed in: 2.26-47.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* glibc-common@2.26-34.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc-common package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-27618: 1893708: CVE-2020-27618 glibc: iconv when processing invalid multi-byte input sequences fails to advance the input state, which could result in an infinite loop A flaw was found in glibc. If an attacker provides the iconv function with invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, IBM1399 encodings, it fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service. CVE-2019-9169: 1684057: CVE-2019-9169 glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.

Remediation

Upgrade Amzn:2 glibc-common to version 2.26-47.amzn2 or higher.

References

medium severity

ALAS2-2020-1517

  • Vulnerable module: glibc-langpack-en
  • Introduced through: glibc-langpack-en@2.26-34.amzn2
  • Fixed in: 2.26-36.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* glibc-langpack-en@2.26-34.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc-langpack-en package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2016-10739: In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings. 1347549: CVE-2016-10739 glibc: getaddrinfo should reject IP addresses with trailing characters

Remediation

Upgrade Amzn:2 glibc-langpack-en to version 2.26-36.amzn2 or higher.

References

medium severity

ALAS2-2021-1615

  • Vulnerable module: glibc-langpack-en
  • Introduced through: glibc-langpack-en@2.26-34.amzn2
  • Fixed in: 2.26-42.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* glibc-langpack-en@2.26-34.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc-langpack-en package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2021-3326: 1921916: CVE-2021-3326 glibc: Assertion failure in ISO-2022-JP-3 gconv module related to combining characters A flaw was found in glibc's iconv() functionality. This flaw allows an attacker capable of supplying a crafted sequence of characters to an application using iconv() to convert from ISO-2022-JP-3 to cause an assertion failure. The highest threat from this vulnerability is to system availability.

Remediation

Upgrade Amzn:2 glibc-langpack-en to version 2.26-42.amzn2 or higher.

References

medium severity

ALAS2-2021-1656

  • Vulnerable module: glibc-langpack-en
  • Introduced through: glibc-langpack-en@2.26-34.amzn2
  • Fixed in: 2.26-47.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* glibc-langpack-en@2.26-34.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc-langpack-en package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-27618: 1893708: CVE-2020-27618 glibc: iconv when processing invalid multi-byte input sequences fails to advance the input state, which could result in an infinite loop A flaw was found in glibc. If an attacker provides the iconv function with invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, IBM1399 encodings, it fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service. CVE-2019-9169: 1684057: CVE-2019-9169 glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.

Remediation

Upgrade Amzn:2 glibc-langpack-en to version 2.26-47.amzn2 or higher.

References

medium severity

ALAS2-2020-1517

  • Vulnerable module: glibc-minimal-langpack
  • Introduced through: glibc-minimal-langpack@2.26-34.amzn2
  • Fixed in: 2.26-36.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* glibc-minimal-langpack@2.26-34.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc-minimal-langpack package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2016-10739: In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings. 1347549: CVE-2016-10739 glibc: getaddrinfo should reject IP addresses with trailing characters

Remediation

Upgrade Amzn:2 glibc-minimal-langpack to version 2.26-36.amzn2 or higher.

References

medium severity

ALAS2-2021-1615

  • Vulnerable module: glibc-minimal-langpack
  • Introduced through: glibc-minimal-langpack@2.26-34.amzn2
  • Fixed in: 2.26-42.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* glibc-minimal-langpack@2.26-34.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc-minimal-langpack package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2021-3326: 1921916: CVE-2021-3326 glibc: Assertion failure in ISO-2022-JP-3 gconv module related to combining characters A flaw was found in glibc's iconv() functionality. This flaw allows an attacker capable of supplying a crafted sequence of characters to an application using iconv() to convert from ISO-2022-JP-3 to cause an assertion failure. The highest threat from this vulnerability is to system availability.

Remediation

Upgrade Amzn:2 glibc-minimal-langpack to version 2.26-42.amzn2 or higher.

References

medium severity

ALAS2-2021-1656

  • Vulnerable module: glibc-minimal-langpack
  • Introduced through: glibc-minimal-langpack@2.26-34.amzn2
  • Fixed in: 2.26-47.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* glibc-minimal-langpack@2.26-34.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc-minimal-langpack package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-27618: 1893708: CVE-2020-27618 glibc: iconv when processing invalid multi-byte input sequences fails to advance the input state, which could result in an infinite loop A flaw was found in glibc. If an attacker provides the iconv function with invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, IBM1399 encodings, it fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service. CVE-2019-9169: 1684057: CVE-2019-9169 glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.

Remediation

Upgrade Amzn:2 glibc-minimal-langpack to version 2.26-47.amzn2 or higher.

References

medium severity

ALAS2-2020-1509

  • Vulnerable module: libcom_err
  • Introduced through: libcom_err@1.42.9-12.amzn2.0.2
  • Fixed in: 1.42.9-19.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* libcom_err@1.42.9-12.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply to the upstream libcom_err package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-5188: 1790048: CVE-2019-5188 e2fsprogs: Out-of-bounds write in e2fsck/rehash.c A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. CVE-2019-5094: 1768555: CVE-2019-5094 e2fsprogs: Crafted ext4 partition leads to out-of-bounds write An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.

Remediation

Upgrade Amzn:2 libcom_err to version 1.42.9-19.amzn2 or higher.

References

medium severity

ALAS2-2020-1517

  • Vulnerable module: libcrypt
  • Introduced through: libcrypt@2.26-34.amzn2
  • Fixed in: 2.26-36.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* libcrypt@2.26-34.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream libcrypt package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2016-10739: In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings. 1347549: CVE-2016-10739 glibc: getaddrinfo should reject IP addresses with trailing characters

Remediation

Upgrade Amzn:2 libcrypt to version 2.26-36.amzn2 or higher.

References

medium severity

ALAS2-2021-1615

  • Vulnerable module: libcrypt
  • Introduced through: libcrypt@2.26-34.amzn2
  • Fixed in: 2.26-42.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* libcrypt@2.26-34.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream libcrypt package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2021-3326: 1921916: CVE-2021-3326 glibc: Assertion failure in ISO-2022-JP-3 gconv module related to combining characters A flaw was found in glibc's iconv() functionality. This flaw allows an attacker capable of supplying a crafted sequence of characters to an application using iconv() to convert from ISO-2022-JP-3 to cause an assertion failure. The highest threat from this vulnerability is to system availability.

Remediation

Upgrade Amzn:2 libcrypt to version 2.26-42.amzn2 or higher.

References

medium severity

ALAS2-2021-1656

  • Vulnerable module: libcrypt
  • Introduced through: libcrypt@2.26-34.amzn2
  • Fixed in: 2.26-47.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* libcrypt@2.26-34.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream libcrypt package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-27618: 1893708: CVE-2020-27618 glibc: iconv when processing invalid multi-byte input sequences fails to advance the input state, which could result in an infinite loop A flaw was found in glibc. If an attacker provides the iconv function with invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, IBM1399 encodings, it fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service. CVE-2019-9169: 1684057: CVE-2019-9169 glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.

Remediation

Upgrade Amzn:2 libcrypt to version 2.26-47.amzn2 or higher.

References

medium severity

ALAS2-2020-1451

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.61.1-12.amzn2.0.1
  • Fixed in: 7.61.1-12.amzn2.0.2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* libcurl@7.61.1-12.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply to the upstream libcurl package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-8177: No description is available for this CVE. 1847915: CVE-2020-8177 curl: command line arguments lead to local file overwrite

Remediation

Upgrade Amzn:2 libcurl to version 7.61.1-12.amzn2.0.2 or higher.

References

medium severity

ALAS2-2021-1653

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.61.1-12.amzn2.0.1
  • Fixed in: 7.61.1-12.amzn2.0.4

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* libcurl@7.61.1-12.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply to the upstream libcurl package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2021-22898: A vulnerability was found in curl where a flaw in the option parser for sending NEW_ENV variables libcurl can pass uninitialized data from a stack-based buffer to the server. This issue leads to potentially revealing sensitive internal information to the server using a clear-text network protocol. The highest threat from this vulnerability is to confidentiality. 1964887: CVE-2021-22898 curl: TELNET stack contents disclosure CVE-2021-22876: 1941964: CVE-2021-22876 curl: Leak of authentication credentials in URL via automatic Referer It was discovered that libcurl did not remove authentication credentials from URLs when automatically populating the Referer HTTP request header while handling HTTP redirects. This could lead to exposure of the credentials to the server to which requests were redirected.

Remediation

Upgrade Amzn:2 libcurl to version 7.61.1-12.amzn2.0.4 or higher.

References

medium severity

ALAS2-2020-1531

  • Vulnerable module: libssh2
  • Introduced through: libssh2@1.4.3-12.amzn2.2.2
  • Fixed in: 1.4.3-12.amzn2.2.3

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* libssh2@1.4.3-12.amzn2.2.2

NVD Description

Note: Versions mentioned in the description apply to the upstream libssh2 package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-17498: 1766898: CVE-2019-17498 libssh2: integer overflow in SSH_MSG_DISCONNECT logic in packet.c In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.

Remediation

Upgrade Amzn:2 libssh2 to version 1.4.3-12.amzn2.2.3 or higher.

References

medium severity

ALAS2-2020-1534

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.amzn2.3.3
  • Fixed in: 2.9.1-6.amzn2.5.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* libxml2@2.9.1-6.amzn2.3.3

NVD Description

Note: Versions mentioned in the description apply to the upstream libxml2 package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-7595: 1799786: CVE-2020-7595 libxml2: infinite loop in xmlStringLenDecodeEntities in some end-of-file situations xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. CVE-2019-20388: 1799734: CVE-2019-20388 libxml2: memory leak in xmlSchemaPreRun in xmlschemas.c A memory leak was found in the xmlSchemaValidateStream function of libxml2. Applications that use this library may be vulnerable to memory not being freed leading to a denial of service. System availability is the highest threat from this vulnerability. CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs. 1788856: CVE-2019-19956 libxml2: memory leak in xmlParseBalancedChunkMemoryRecover in parser.c

Remediation

Upgrade Amzn:2 libxml2 to version 2.9.1-6.amzn2.5.1 or higher.

References

medium severity

ALAS2-2021-1662

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.amzn2.3.3
  • Fixed in: 2.9.1-6.amzn2.5.3

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* libxml2@2.9.1-6.amzn2.3.3

NVD Description

Note: Versions mentioned in the description apply to the upstream libxml2 package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2021-3541: 1950515: CVE-2021-3541 libxml2: Exponential entity expansion attack bypasses all existing protection mechanisms No description is available for this CVE. CVE-2021-3517: There is a flaw in the xml entity encoding functionality of libxml2. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application. 1954232: CVE-2021-3517 libxml2: Heap-based buffer overflow in xmlEncodeEntitiesInternal() in entities.c CVE-2020-24977: 1877788: CVE-2020-24977 libxml2: Buffer overflow vulnerability in xmlEncodeEntitiesInternal() in entities.c GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 50f06b3e.

Remediation

Upgrade Amzn:2 libxml2 to version 2.9.1-6.amzn2.5.3 or higher.

References

medium severity

ALAS2-2021-1677

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.amzn2.3.3
  • Fixed in: 2.9.1-6.amzn2.5.4

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* libxml2@2.9.1-6.amzn2.3.3

NVD Description

Note: Versions mentioned in the description apply to the upstream libxml2 package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2021-3537: 1956522: CVE-2021-3537 libxml2: NULL pointer dereference when post-validating mixed content parsed in recovery mode A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability. CVE-2021-3518: There's a flaw in libxml2. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability. 1954242: CVE-2021-3518 libxml2: Use-after-free in xmlXIncludeDoProcess() in xinclude.c CVE-2021-3516: 1954225: CVE-2021-3516 libxml2: Use-after-free in xmlEncodeEntitiesInternal() in entities.c There's a flaw in libxml2's xmllint. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this flaw is to confidentiality, integrity, and availability.

Remediation

Upgrade Amzn:2 libxml2 to version 2.9.1-6.amzn2.5.4 or higher.

References

medium severity

ALAS2-2020-1559

  • Vulnerable module: nspr
  • Introduced through: nspr@4.21.0-1.amzn2.0.2
  • Fixed in: 4.25.0-2.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* nspr@4.21.0-1.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply to the upstream nspr package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-6829: 1826187: CVE-2020-6829 nss: Side channel attack on ECDSA signature generation A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2020-12403: A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. 1868931: CVE-2020-12403 nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read CVE-2020-12402: A flaw was found in NSS, where it is vulnerable to RSA key generation cache timing side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. The highest threat to this flaw is to confidentiality. 1826231: CVE-2020-12402 nss: Side channel vulnerabilities during RSA key generation CVE-2020-12401: 1851294: CVE-2020-12401 nss: ECDSA timing attack mitigation bypass A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2020-12400: 1853983: CVE-2020-12400 nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function A side channel flaw was found in nss, in the way P-384 and P-521 curves are used in the generation of EDSA signatures, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2019-17023: A protocol downgrade flaw was found in Network Security Services (NSS). After a HelloRetryRequest has been sent, the client may negotiate a lower protocol than TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. 1791225: CVE-2019-17023 nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state CVE-2019-17006: 1775916: CVE-2019-17006 nss: Check length of inputs for cryptographic primitives A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability. CVE-2019-11756: A use-after-free flaw was found in Mozilla Network Security Services (NSS) related to PK11 session handling. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled with NSS. 1774835: CVE-2019-11756 nss: Use-after-free in sftk_FreeSession due to improper refcounting CVE-2019-11727: 1730988: CVE-2019-11727 nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. CVE-2019-11719: When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. 1728436: CVE-2019-11719 nss: Out-of-bounds read when importing curve25519 private key

Remediation

Upgrade Amzn:2 nspr to version 4.25.0-2.amzn2 or higher.

References

medium severity

ALAS2-2020-1559

  • Vulnerable module: nss
  • Introduced through: nss@3.44.0-7.amzn2
  • Fixed in: 3.53.1-3.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* nss@3.44.0-7.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream nss package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-6829: 1826187: CVE-2020-6829 nss: Side channel attack on ECDSA signature generation A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2020-12403: A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. 1868931: CVE-2020-12403 nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read CVE-2020-12402: A flaw was found in NSS, where it is vulnerable to RSA key generation cache timing side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. The highest threat to this flaw is to confidentiality. 1826231: CVE-2020-12402 nss: Side channel vulnerabilities during RSA key generation CVE-2020-12401: 1851294: CVE-2020-12401 nss: ECDSA timing attack mitigation bypass A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2020-12400: 1853983: CVE-2020-12400 nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function A side channel flaw was found in nss, in the way P-384 and P-521 curves are used in the generation of EDSA signatures, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2019-17023: A protocol downgrade flaw was found in Network Security Services (NSS). After a HelloRetryRequest has been sent, the client may negotiate a lower protocol than TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. 1791225: CVE-2019-17023 nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state CVE-2019-17006: 1775916: CVE-2019-17006 nss: Check length of inputs for cryptographic primitives A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability. CVE-2019-11756: A use-after-free flaw was found in Mozilla Network Security Services (NSS) related to PK11 session handling. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled with NSS. 1774835: CVE-2019-11756 nss: Use-after-free in sftk_FreeSession due to improper refcounting CVE-2019-11727: 1730988: CVE-2019-11727 nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. CVE-2019-11719: When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. 1728436: CVE-2019-11719 nss: Out-of-bounds read when importing curve25519 private key

Remediation

Upgrade Amzn:2 nss to version 3.53.1-3.amzn2 or higher.

References

medium severity

ALAS2-2021-1664

  • Vulnerable module: nss
  • Introduced through: nss@3.44.0-7.amzn2
  • Fixed in: 3.53.1-7.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* nss@3.44.0-7.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream nss package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-25648: A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. 1887319: CVE-2020-25648 nss: TLS 1.3 CCS flood remote DoS Attack

Remediation

Upgrade Amzn:2 nss to version 3.53.1-7.amzn2 or higher.

References

medium severity

ALAS2-2020-1559

  • Vulnerable module: nss-softokn
  • Introduced through: nss-softokn@3.44.0-8.amzn2
  • Fixed in: 3.53.1-6.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* nss-softokn@3.44.0-8.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-softokn package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-6829: 1826187: CVE-2020-6829 nss: Side channel attack on ECDSA signature generation A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2020-12403: A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. 1868931: CVE-2020-12403 nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read CVE-2020-12402: A flaw was found in NSS, where it is vulnerable to RSA key generation cache timing side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. The highest threat to this flaw is to confidentiality. 1826231: CVE-2020-12402 nss: Side channel vulnerabilities during RSA key generation CVE-2020-12401: 1851294: CVE-2020-12401 nss: ECDSA timing attack mitigation bypass A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2020-12400: 1853983: CVE-2020-12400 nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function A side channel flaw was found in nss, in the way P-384 and P-521 curves are used in the generation of EDSA signatures, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2019-17023: A protocol downgrade flaw was found in Network Security Services (NSS). After a HelloRetryRequest has been sent, the client may negotiate a lower protocol than TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. 1791225: CVE-2019-17023 nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state CVE-2019-17006: 1775916: CVE-2019-17006 nss: Check length of inputs for cryptographic primitives A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability. CVE-2019-11756: A use-after-free flaw was found in Mozilla Network Security Services (NSS) related to PK11 session handling. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled with NSS. 1774835: CVE-2019-11756 nss: Use-after-free in sftk_FreeSession due to improper refcounting CVE-2019-11727: 1730988: CVE-2019-11727 nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. CVE-2019-11719: When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. 1728436: CVE-2019-11719 nss: Out-of-bounds read when importing curve25519 private key

Remediation

Upgrade Amzn:2 nss-softokn to version 3.53.1-6.amzn2 or higher.

References

medium severity

ALAS2-2020-1559

  • Vulnerable module: nss-softokn-freebl
  • Introduced through: nss-softokn-freebl@3.44.0-8.amzn2
  • Fixed in: 3.53.1-6.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* nss-softokn-freebl@3.44.0-8.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-softokn-freebl package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-6829: 1826187: CVE-2020-6829 nss: Side channel attack on ECDSA signature generation A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2020-12403: A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. 1868931: CVE-2020-12403 nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read CVE-2020-12402: A flaw was found in NSS, where it is vulnerable to RSA key generation cache timing side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. The highest threat to this flaw is to confidentiality. 1826231: CVE-2020-12402 nss: Side channel vulnerabilities during RSA key generation CVE-2020-12401: 1851294: CVE-2020-12401 nss: ECDSA timing attack mitigation bypass A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2020-12400: 1853983: CVE-2020-12400 nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function A side channel flaw was found in nss, in the way P-384 and P-521 curves are used in the generation of EDSA signatures, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2019-17023: A protocol downgrade flaw was found in Network Security Services (NSS). After a HelloRetryRequest has been sent, the client may negotiate a lower protocol than TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. 1791225: CVE-2019-17023 nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state CVE-2019-17006: 1775916: CVE-2019-17006 nss: Check length of inputs for cryptographic primitives A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability. CVE-2019-11756: A use-after-free flaw was found in Mozilla Network Security Services (NSS) related to PK11 session handling. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled with NSS. 1774835: CVE-2019-11756 nss: Use-after-free in sftk_FreeSession due to improper refcounting CVE-2019-11727: 1730988: CVE-2019-11727 nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. CVE-2019-11719: When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. 1728436: CVE-2019-11719 nss: Out-of-bounds read when importing curve25519 private key

Remediation

Upgrade Amzn:2 nss-softokn-freebl to version 3.53.1-6.amzn2 or higher.

References

medium severity

ALAS2-2020-1559

  • Vulnerable module: nss-sysinit
  • Introduced through: nss-sysinit@3.44.0-7.amzn2
  • Fixed in: 3.53.1-3.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* nss-sysinit@3.44.0-7.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-sysinit package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-6829: 1826187: CVE-2020-6829 nss: Side channel attack on ECDSA signature generation A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2020-12403: A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. 1868931: CVE-2020-12403 nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read CVE-2020-12402: A flaw was found in NSS, where it is vulnerable to RSA key generation cache timing side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. The highest threat to this flaw is to confidentiality. 1826231: CVE-2020-12402 nss: Side channel vulnerabilities during RSA key generation CVE-2020-12401: 1851294: CVE-2020-12401 nss: ECDSA timing attack mitigation bypass A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2020-12400: 1853983: CVE-2020-12400 nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function A side channel flaw was found in nss, in the way P-384 and P-521 curves are used in the generation of EDSA signatures, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2019-17023: A protocol downgrade flaw was found in Network Security Services (NSS). After a HelloRetryRequest has been sent, the client may negotiate a lower protocol than TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. 1791225: CVE-2019-17023 nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state CVE-2019-17006: 1775916: CVE-2019-17006 nss: Check length of inputs for cryptographic primitives A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability. CVE-2019-11756: A use-after-free flaw was found in Mozilla Network Security Services (NSS) related to PK11 session handling. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled with NSS. 1774835: CVE-2019-11756 nss: Use-after-free in sftk_FreeSession due to improper refcounting CVE-2019-11727: 1730988: CVE-2019-11727 nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. CVE-2019-11719: When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. 1728436: CVE-2019-11719 nss: Out-of-bounds read when importing curve25519 private key

Remediation

Upgrade Amzn:2 nss-sysinit to version 3.53.1-3.amzn2 or higher.

References

medium severity

ALAS2-2021-1664

  • Vulnerable module: nss-sysinit
  • Introduced through: nss-sysinit@3.44.0-7.amzn2
  • Fixed in: 3.53.1-7.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* nss-sysinit@3.44.0-7.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-sysinit package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-25648: A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. 1887319: CVE-2020-25648 nss: TLS 1.3 CCS flood remote DoS Attack

Remediation

Upgrade Amzn:2 nss-sysinit to version 3.53.1-7.amzn2 or higher.

References

medium severity

ALAS2-2020-1559

  • Vulnerable module: nss-tools
  • Introduced through: nss-tools@3.44.0-7.amzn2
  • Fixed in: 3.53.1-3.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* nss-tools@3.44.0-7.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-tools package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-6829: 1826187: CVE-2020-6829 nss: Side channel attack on ECDSA signature generation A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2020-12403: A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. 1868931: CVE-2020-12403 nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read CVE-2020-12402: A flaw was found in NSS, where it is vulnerable to RSA key generation cache timing side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. The highest threat to this flaw is to confidentiality. 1826231: CVE-2020-12402 nss: Side channel vulnerabilities during RSA key generation CVE-2020-12401: 1851294: CVE-2020-12401 nss: ECDSA timing attack mitigation bypass A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2020-12400: 1853983: CVE-2020-12400 nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function A side channel flaw was found in nss, in the way P-384 and P-521 curves are used in the generation of EDSA signatures, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2019-17023: A protocol downgrade flaw was found in Network Security Services (NSS). After a HelloRetryRequest has been sent, the client may negotiate a lower protocol than TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. 1791225: CVE-2019-17023 nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state CVE-2019-17006: 1775916: CVE-2019-17006 nss: Check length of inputs for cryptographic primitives A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability. CVE-2019-11756: A use-after-free flaw was found in Mozilla Network Security Services (NSS) related to PK11 session handling. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled with NSS. 1774835: CVE-2019-11756 nss: Use-after-free in sftk_FreeSession due to improper refcounting CVE-2019-11727: 1730988: CVE-2019-11727 nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. CVE-2019-11719: When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. 1728436: CVE-2019-11719 nss: Out-of-bounds read when importing curve25519 private key

Remediation

Upgrade Amzn:2 nss-tools to version 3.53.1-3.amzn2 or higher.

References

medium severity

ALAS2-2021-1664

  • Vulnerable module: nss-tools
  • Introduced through: nss-tools@3.44.0-7.amzn2
  • Fixed in: 3.53.1-7.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* nss-tools@3.44.0-7.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-tools package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-25648: A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. 1887319: CVE-2020-25648 nss: TLS 1.3 CCS flood remote DoS Attack

Remediation

Upgrade Amzn:2 nss-tools to version 3.53.1-7.amzn2 or higher.

References

medium severity

ALAS2-2020-1559

  • Vulnerable module: nss-util
  • Introduced through: nss-util@3.44.0-4.amzn2
  • Fixed in: 3.53.1-1.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* nss-util@3.44.0-4.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-util package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-6829: 1826187: CVE-2020-6829 nss: Side channel attack on ECDSA signature generation A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2020-12403: A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. 1868931: CVE-2020-12403 nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read CVE-2020-12402: A flaw was found in NSS, where it is vulnerable to RSA key generation cache timing side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. The highest threat to this flaw is to confidentiality. 1826231: CVE-2020-12402 nss: Side channel vulnerabilities during RSA key generation CVE-2020-12401: 1851294: CVE-2020-12401 nss: ECDSA timing attack mitigation bypass A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2020-12400: 1853983: CVE-2020-12400 nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function A side channel flaw was found in nss, in the way P-384 and P-521 curves are used in the generation of EDSA signatures, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2019-17023: A protocol downgrade flaw was found in Network Security Services (NSS). After a HelloRetryRequest has been sent, the client may negotiate a lower protocol than TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. 1791225: CVE-2019-17023 nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state CVE-2019-17006: 1775916: CVE-2019-17006 nss: Check length of inputs for cryptographic primitives A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability. CVE-2019-11756: A use-after-free flaw was found in Mozilla Network Security Services (NSS) related to PK11 session handling. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled with NSS. 1774835: CVE-2019-11756 nss: Use-after-free in sftk_FreeSession due to improper refcounting CVE-2019-11727: 1730988: CVE-2019-11727 nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. CVE-2019-11719: When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. 1728436: CVE-2019-11719 nss: Out-of-bounds read when importing curve25519 private key

Remediation

Upgrade Amzn:2 nss-util to version 3.53.1-1.amzn2 or higher.

References

medium severity

ALAS2-2020-1539

  • Vulnerable module: openldap
  • Introduced through: openldap@2.4.44-15.amzn2
  • Fixed in: 2.4.44-22.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* openldap@2.4.44-15.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream openldap package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-12243: In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can result in denial of service (daemon crash). 1833535: CVE-2020-12243 openldap: denial of service via nested boolean expressions in LDAP search filters

Remediation

Upgrade Amzn:2 openldap to version 2.4.44-22.amzn2 or higher.

References

medium severity

ALAS2-2021-1638

  • Vulnerable module: openldap
  • Introduced through: openldap@2.4.44-15.amzn2
  • Fixed in: 2.4.44-23.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* openldap@2.4.44-15.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream openldap package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-25692: A NULL pointer dereference flaw was found in the OpenLDAP server, during a request for renaming RDNs. This flaw allows a remote, unauthenticated attacker to crash the slapd process by sending a specially crafted request, causing a denial of service. The highest threat from this vulnerability is to system availability. 1894567: CVE-2020-25692 openldap: NULL pointer dereference for unauthenticated packet in slapd

Remediation

Upgrade Amzn:2 openldap to version 2.4.44-23.amzn2 or higher.

References

medium severity

ALAS2-2021-1608

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.2k-19.amzn2.0.1
  • Fixed in: 1:1.0.2k-19.amzn2.0.6

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* openssl-libs@1:1.0.2k-19.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl-libs package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2021-23841: The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x). 1930310: CVE-2021-23841 openssl: NULL pointer dereference in X509_issuer_and_serial_hash() CVE-2021-23840: 1930324: CVE-2021-23840 openssl: integer overflow in CipherUpdate Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x). CVE-2021-23839: 1930294: CVE-2021-23839 openssl: incorrect SSLv2 rollback protection OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).

Remediation

Upgrade Amzn:2 openssl-libs to version 1:1.0.2k-19.amzn2.0.6 or higher.

References

medium severity

ALAS2-2021-1601

  • Vulnerable module: p11-kit
  • Introduced through: p11-kit@0.23.5-3.amzn2.0.2
  • Fixed in: 0.23.22-1.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* p11-kit@0.23.5-3.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply to the upstream p11-kit package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-29363: An issue was discovered in p11-kit 0.23.6 through 0.23.21. A heap-based buffer overflow has been discovered in the RPC protocol used by p11-kit server/remote commands and the client library. When the remote entity supplies a serialized byte array in a CK_ATTRIBUTE, the receiving entity may not allocate sufficient length for the buffer to store the deserialized value. 1903588: CVE-2020-29363 p11-kit: out-of-bounds write in p11_rpc_buffer_get_byte_array_value function in rpc-message.c CVE-2020-29362: 1903590: CVE-2020-29362 p11-kit: out-of-bounds read in p11_rpc_buffer_get_byte_array function in rpc-message.c An issue was discovered in p11-kit 0.21.1 through 0.23.21. A heap-based buffer over-read has been discovered in the RPC protocol used by thep11-kit server/remote commands and the client library. When the remote entity supplies a byte array through a serialized PKCS#11 function call, the receiving entity may allow the reading of up to 4 bytes of memory past the heap allocation. CVE-2020-29361: 1903592: CVE-2020-29361 p11-kit: integer overflow when allocating memory for arrays or attributes and object identifiers An issue was discovered in p11-kit 0.21.1 through 0.23.21. Multiple integer overflows have been discovered in the array allocations in the p11-kit library and the p11-kit list command, where overflow checks are missing before calling realloc or calloc.

Remediation

Upgrade Amzn:2 p11-kit to version 0.23.22-1.amzn2.0.1 or higher.

References

medium severity

ALAS2-2021-1601

  • Vulnerable module: p11-kit-trust
  • Introduced through: p11-kit-trust@0.23.5-3.amzn2.0.2
  • Fixed in: 0.23.22-1.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* p11-kit-trust@0.23.5-3.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply to the upstream p11-kit-trust package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-29363: An issue was discovered in p11-kit 0.23.6 through 0.23.21. A heap-based buffer overflow has been discovered in the RPC protocol used by p11-kit server/remote commands and the client library. When the remote entity supplies a serialized byte array in a CK_ATTRIBUTE, the receiving entity may not allocate sufficient length for the buffer to store the deserialized value. 1903588: CVE-2020-29363 p11-kit: out-of-bounds write in p11_rpc_buffer_get_byte_array_value function in rpc-message.c CVE-2020-29362: 1903590: CVE-2020-29362 p11-kit: out-of-bounds read in p11_rpc_buffer_get_byte_array function in rpc-message.c An issue was discovered in p11-kit 0.21.1 through 0.23.21. A heap-based buffer over-read has been discovered in the RPC protocol used by thep11-kit server/remote commands and the client library. When the remote entity supplies a byte array through a serialized PKCS#11 function call, the receiving entity may allow the reading of up to 4 bytes of memory past the heap allocation. CVE-2020-29361: 1903592: CVE-2020-29361 p11-kit: integer overflow when allocating memory for arrays or attributes and object identifiers An issue was discovered in p11-kit 0.21.1 through 0.23.21. Multiple integer overflows have been discovered in the array allocations in the p11-kit library and the p11-kit list command, where overflow checks are missing before calling realloc or calloc.

Remediation

Upgrade Amzn:2 p11-kit-trust to version 0.23.22-1.amzn2.0.1 or higher.

References

medium severity

ALAS2-2020-1432

  • Vulnerable module: python
  • Introduced through: python@2.7.16-5.amzn2
  • Fixed in: 2.7.18-1.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* python@2.7.16-5.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream python package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-8492: 1809065: CVE-2020-8492 python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. CVE-2018-20852: http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3. 1740347: CVE-2018-20852 python: Cookie domain check returns incorrect results

Remediation

Upgrade Amzn:2 python to version 2.7.18-1.amzn2 or higher.

References

medium severity

ALAS2-2020-1471

  • Vulnerable module: python
  • Introduced through: python@2.7.16-5.amzn2
  • Fixed in: 2.7.18-1.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* python@2.7.16-5.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream python package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-8492: 1809065: CVE-2020-8492 python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

Remediation

Upgrade Amzn:2 python to version 2.7.18-1.amzn2.0.1 or higher.

References

medium severity

ALAS2-2020-1483

  • Vulnerable module: python
  • Introduced through: python@2.7.16-5.amzn2
  • Fixed in: 2.7.18-1.amzn2.0.2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* python@2.7.16-5.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream python package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-20907: In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. 1856481: CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive

Remediation

Upgrade Amzn:2 python to version 2.7.18-1.amzn2.0.2 or higher.

References

medium severity

ALAS2-2021-1611

  • Vulnerable module: python
  • Introduced through: python@2.7.16-5.amzn2
  • Fixed in: 2.7.18-1.amzn2.0.3

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* python@2.7.16-5.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream python package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2021-3177: A flaw was found in python. A stack-based buffer overflow was discovered in the ctypes module provided within Python. Applications that use ctypes without carefully validating the input passed to it may be vulnerable to this flaw, which would allow an attacker to overflow a buffer on the stack and crash the application. The highest threat from this vulnerability is to system availability. 1918168: CVE-2021-3177 python: stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c

Remediation

Upgrade Amzn:2 python to version 2.7.18-1.amzn2.0.3 or higher.

References

medium severity

ALAS2-2021-1669

  • Vulnerable module: python
  • Introduced through: python@2.7.16-5.amzn2
  • Fixed in: 2.7.18-1.amzn2.0.4

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* python@2.7.16-5.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream python package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-26116: 1883014: CVE-2020-26116 python: CRLF injection via HTTP request method in httplib/http.client A flaw was found in Python. The built-in modules httplib and http.client (included in Python 2 and Python 3, respectively) do not properly validate CRLF sequences in the HTTP request method, potentially allowing manipulation to the request by injecting additional HTTP headers. The highest threat from this vulnerability is to confidentiality and integrity.

Remediation

Upgrade Amzn:2 python to version 2.7.18-1.amzn2.0.4 or higher.

References

medium severity

ALAS2-2020-1432

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.16-5.amzn2
  • Fixed in: 2.7.18-1.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* python-libs@2.7.16-5.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream python-libs package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-8492: 1809065: CVE-2020-8492 python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. CVE-2018-20852: http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3. 1740347: CVE-2018-20852 python: Cookie domain check returns incorrect results

Remediation

Upgrade Amzn:2 python-libs to version 2.7.18-1.amzn2 or higher.

References

medium severity

ALAS2-2020-1471

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.16-5.amzn2
  • Fixed in: 2.7.18-1.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* python-libs@2.7.16-5.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream python-libs package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-8492: 1809065: CVE-2020-8492 python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

Remediation

Upgrade Amzn:2 python-libs to version 2.7.18-1.amzn2.0.1 or higher.

References

medium severity

ALAS2-2020-1483

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.16-5.amzn2
  • Fixed in: 2.7.18-1.amzn2.0.2

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* python-libs@2.7.16-5.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream python-libs package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-20907: In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. 1856481: CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive

Remediation

Upgrade Amzn:2 python-libs to version 2.7.18-1.amzn2.0.2 or higher.

References

medium severity

ALAS2-2021-1611

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.16-5.amzn2
  • Fixed in: 2.7.18-1.amzn2.0.3

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* python-libs@2.7.16-5.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream python-libs package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2021-3177: A flaw was found in python. A stack-based buffer overflow was discovered in the ctypes module provided within Python. Applications that use ctypes without carefully validating the input passed to it may be vulnerable to this flaw, which would allow an attacker to overflow a buffer on the stack and crash the application. The highest threat from this vulnerability is to system availability. 1918168: CVE-2021-3177 python: stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c

Remediation

Upgrade Amzn:2 python-libs to version 2.7.18-1.amzn2.0.3 or higher.

References

medium severity

ALAS2-2021-1669

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.16-5.amzn2
  • Fixed in: 2.7.18-1.amzn2.0.4

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* python-libs@2.7.16-5.amzn2

NVD Description

Note: Versions mentioned in the description apply to the upstream python-libs package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-26116: 1883014: CVE-2020-26116 python: CRLF injection via HTTP request method in httplib/http.client A flaw was found in Python. The built-in modules httplib and http.client (included in Python 2 and Python 3, respectively) do not properly validate CRLF sequences in the HTTP request method, potentially allowing manipulation to the request by injecting additional HTTP headers. The highest threat from this vulnerability is to confidentiality and integrity.

Remediation

Upgrade Amzn:2 python-libs to version 2.7.18-1.amzn2.0.4 or higher.

References

medium severity
new

ALAS2-2021-1689

  • Vulnerable module: python2-rpm
  • Introduced through: python2-rpm@4.11.3-40.amzn2.0.3
  • Fixed in: 4.11.3-40.amzn2.0.6

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* python2-rpm@4.11.3-40.amzn2.0.3

NVD Description

Note: Versions mentioned in the description apply to the upstream python2-rpm package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2021-3421: 1927747: CVE-2021-3421 rpm: unsigned signature header leads to string injection into an rpm database A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. CVE-2021-20271: A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability. 1934125: CVE-2021-20271 rpm: Signature checks bypass via corrupted rpm package

Remediation

Upgrade Amzn:2 python2-rpm to version 4.11.3-40.amzn2.0.6 or higher.

References

medium severity
new

ALAS2-2021-1689

  • Vulnerable module: rpm
  • Introduced through: rpm@4.11.3-40.amzn2.0.3
  • Fixed in: 4.11.3-40.amzn2.0.6

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* rpm@4.11.3-40.amzn2.0.3

NVD Description

Note: Versions mentioned in the description apply to the upstream rpm package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2021-3421: 1927747: CVE-2021-3421 rpm: unsigned signature header leads to string injection into an rpm database A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. CVE-2021-20271: A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability. 1934125: CVE-2021-20271 rpm: Signature checks bypass via corrupted rpm package

Remediation

Upgrade Amzn:2 rpm to version 4.11.3-40.amzn2.0.6 or higher.

References

medium severity
new

ALAS2-2021-1689

  • Vulnerable module: rpm-build-libs
  • Introduced through: rpm-build-libs@4.11.3-40.amzn2.0.3
  • Fixed in: 4.11.3-40.amzn2.0.6

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* rpm-build-libs@4.11.3-40.amzn2.0.3

NVD Description

Note: Versions mentioned in the description apply to the upstream rpm-build-libs package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2021-3421: 1927747: CVE-2021-3421 rpm: unsigned signature header leads to string injection into an rpm database A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. CVE-2021-20271: A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability. 1934125: CVE-2021-20271 rpm: Signature checks bypass via corrupted rpm package

Remediation

Upgrade Amzn:2 rpm-build-libs to version 4.11.3-40.amzn2.0.6 or higher.

References

medium severity
new

ALAS2-2021-1689

  • Vulnerable module: rpm-libs
  • Introduced through: rpm-libs@4.11.3-40.amzn2.0.3
  • Fixed in: 4.11.3-40.amzn2.0.6

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* rpm-libs@4.11.3-40.amzn2.0.3

NVD Description

Note: Versions mentioned in the description apply to the upstream rpm-libs package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2021-3421: 1927747: CVE-2021-3421 rpm: unsigned signature header leads to string injection into an rpm database A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. CVE-2021-20271: A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability. 1934125: CVE-2021-20271 rpm: Signature checks bypass via corrupted rpm package

Remediation

Upgrade Amzn:2 rpm-libs to version 4.11.3-40.amzn2.0.6 or higher.

References

low severity

ALAS2-2021-1652

  • Vulnerable module: bzip2-libs
  • Introduced through: bzip2-libs@1.0.6-13.amzn2.0.2
  • Fixed in: 1.0.6-13.amzn2.0.3

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* bzip2-libs@1.0.6-13.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply to the upstream bzip2-libs package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-12900: 1724459: CVE-2019-12900 bzip2: out-of-bounds write in function BZ2_decompress BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.

Remediation

Upgrade Amzn:2 bzip2-libs to version 1.0.6-13.amzn2.0.3 or higher.

References

low severity

ALAS2-2020-1452

  • Vulnerable module: file-libs
  • Introduced through: file-libs@5.11-35.amzn2.0.2
  • Fixed in: 5.11-36.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* file-libs@5.11-35.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply to the upstream file-libs package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-10360: The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file. 1590000: CVE-2018-10360 file: out-of-bounds read via a crafted ELF file

Remediation

Upgrade Amzn:2 file-libs to version 5.11-36.amzn2.0.1 or higher.

References

low severity
new

ALAS2-2021-1687

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.2k-19.amzn2.0.1
  • Fixed in: 1:1.0.2k-19.amzn2.0.7

Detailed paths

  • Introduced through: amazonlinux:2.0.20200304.0@* openssl-libs@1:1.0.2k-19.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl-libs package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-1551: 1780995: CVE-2019-1551 openssl: Integer overflow in RSAZ modular exponentiation on x86_64 An integer overflow was found in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. As per upstream: * No EC algorithms are affected. * Attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. * Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. * Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME

Remediation

Upgrade Amzn:2 openssl-libs to version 1:1.0.2k-19.amzn2.0.7 or higher.

References