Docker amazonlinux:2018.03.0.20190826

Vulnerabilities

62 via 62 paths

Dependencies

103

Source

Group 6 Copy Created with Sketch. Docker

Target OS

amzn:2018.03
Test your Docker Hub image against our market leading vulnerability database Sign up for free
Severity
  • 13
  • 46
  • 3
Status
  • 62
  • 0
  • 0

high severity

ALAS-2019-1298

  • Vulnerable module: libnghttp2
  • Introduced through: libnghttp2@1.21.1-1.4.amzn1
  • Fixed in: 1.31.1-2.5.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* libnghttp2@1.21.1-1.4.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream libnghttp2 package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-9513: Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU. 1735741: CVE-2019-9513 HTTP/2: flood using PRIORITY frames results in excessive resource consumption CVE-2019-9511: Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. 1741860: CVE-2019-9511 HTTP/2: large amount of data requests leads to denial of service

Remediation

Upgrade Amzn:2018.03 libnghttp2 to version 1.31.1-2.5.amzn1 or higher.

References

high severity

ALAS-2020-1404

  • Vulnerable module: libnghttp2
  • Introduced through: libnghttp2@1.21.1-1.4.amzn1
  • Fixed in: 1.33.0-1.1.6.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* libnghttp2@1.21.1-1.4.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream libnghttp2 package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-11080: In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection. 1844929: CVE-2020-11080 nghttp2: overly large SETTINGS frames can lead to DoS

Remediation

Upgrade Amzn:2018.03 libnghttp2 to version 1.33.0-1.1.6.amzn1 or higher.

References

high severity

ALAS-2020-1415

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.3.52.amzn1
  • Fixed in: 2.9.1-6.4.40.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* libxml2@2.9.1-6.3.52.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream libxml2 package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2018-14567: libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251. 1619875: CVE-2018-14567 libxml2: Infinite loop caused by incorrect error detection during LZMA decompression CVE-2018-14404: 1595985: CVE-2018-14404 libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application. CVE-2017-18258: The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file. 1566749: CVE-2017-18258 libxml2: Unrestricted memory usage in xz_head() function in xzlib.c CVE-2017-15412: Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1523128: CVE-2017-15412 libxml2: Use after free in xmlXPathCompOpEvalPositionalPredicate() function in xpath.c CVE-2016-5131: Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. 1358641: CVE-2016-5131 libxml2: Use after free triggered by XPointer paths beginning with range-to CVE-2015-8035: 1277146: CVE-2015-8035 libxml2: DoS caused by incorrect error detection during XZ decompression The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.

Remediation

Upgrade Amzn:2018.03 libxml2 to version 2.9.1-6.4.40.amzn1 or higher.

References

high severity

ALAS-2020-1415

  • Vulnerable module: libxml2-python27
  • Introduced through: libxml2-python27@2.9.1-6.3.52.amzn1
  • Fixed in: 2.9.1-6.4.40.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* libxml2-python27@2.9.1-6.3.52.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream libxml2-python27 package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2018-14567: libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251. 1619875: CVE-2018-14567 libxml2: Infinite loop caused by incorrect error detection during LZMA decompression CVE-2018-14404: 1595985: CVE-2018-14404 libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application. CVE-2017-18258: The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file. 1566749: CVE-2017-18258 libxml2: Unrestricted memory usage in xz_head() function in xzlib.c CVE-2017-15412: Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1523128: CVE-2017-15412 libxml2: Use after free in xmlXPathCompOpEvalPositionalPredicate() function in xpath.c CVE-2016-5131: Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. 1358641: CVE-2016-5131 libxml2: Use after free triggered by XPointer paths beginning with range-to CVE-2015-8035: 1277146: CVE-2015-8035 libxml2: DoS caused by incorrect error detection during XZ decompression The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.

Remediation

Upgrade Amzn:2018.03 libxml2-python27 to version 2.9.1-6.4.40.amzn1 or higher.

References

high severity

ALAS-2020-1355

  • Vulnerable module: nspr
  • Introduced through: nspr@4.19.0-1.43.amzn1
  • Fixed in: 4.21.0-1.43.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* nspr@4.19.0-1.43.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream nspr package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-11745: 99999: CVE-2019-11745 nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate A heap-based buffer overflow was found in the NSC_EncryptUpdate() function in Mozilla nss. A remote attacker could trigger this flaw via SRTP encrypt or decrypt operations, to execute arbitrary code with the permissions of the user running the application (compiled with nss). While the attack complexity is high, the impact to confidentiality, integrity, and availability are high as well. 1774831: CVE-2019-11745 nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. CVE-2019-11729: 99999: CVE-2019-11729 nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. 1728437: CVE-2019-11729 nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR &lt; 60.8, Firefox &lt; 68, and Thunderbird &lt; 60.8. CVE-2018-12404: 1657913: CVE-2018-12404 nss: Cache side-channel variant of the Bleichenbacher attack A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41. 1657913: CVE-2018-12404 nss: Cache side-channel variant of the Bleichenbacher attack CVE-2018-0495: 1591163: CVE-2018-0495 ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. 1591163: CVE-2018-0495 openssl: ROHNP - Key Extraction Side Channel in Multiple Crypto Libraries 1591163: CVE-2018-0495 ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries

Remediation

Upgrade Amzn:2018.03 nspr to version 4.21.0-1.43.amzn1 or higher.

References

high severity

ALAS-2020-1355

  • Vulnerable module: nss
  • Introduced through: nss@3.36.0-5.82.amzn1
  • Fixed in: 3.44.0-7.84.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* nss@3.36.0-5.82.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream nss package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-11745: 99999: CVE-2019-11745 nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate A heap-based buffer overflow was found in the NSC_EncryptUpdate() function in Mozilla nss. A remote attacker could trigger this flaw via SRTP encrypt or decrypt operations, to execute arbitrary code with the permissions of the user running the application (compiled with nss). While the attack complexity is high, the impact to confidentiality, integrity, and availability are high as well. 1774831: CVE-2019-11745 nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. CVE-2019-11729: 99999: CVE-2019-11729 nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. 1728437: CVE-2019-11729 nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR &lt; 60.8, Firefox &lt; 68, and Thunderbird &lt; 60.8. CVE-2018-12404: 1657913: CVE-2018-12404 nss: Cache side-channel variant of the Bleichenbacher attack A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41. 1657913: CVE-2018-12404 nss: Cache side-channel variant of the Bleichenbacher attack CVE-2018-0495: 1591163: CVE-2018-0495 ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. 1591163: CVE-2018-0495 openssl: ROHNP - Key Extraction Side Channel in Multiple Crypto Libraries 1591163: CVE-2018-0495 ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries

Remediation

Upgrade Amzn:2018.03 nss to version 3.44.0-7.84.amzn1 or higher.

References

high severity

ALAS-2020-1355

  • Vulnerable module: nss-softokn
  • Introduced through: nss-softokn@3.36.0-5.42.amzn1
  • Fixed in: 3.44.0-8.44.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* nss-softokn@3.36.0-5.42.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-softokn package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-11745: 99999: CVE-2019-11745 nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate A heap-based buffer overflow was found in the NSC_EncryptUpdate() function in Mozilla nss. A remote attacker could trigger this flaw via SRTP encrypt or decrypt operations, to execute arbitrary code with the permissions of the user running the application (compiled with nss). While the attack complexity is high, the impact to confidentiality, integrity, and availability are high as well. 1774831: CVE-2019-11745 nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. CVE-2019-11729: 99999: CVE-2019-11729 nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. 1728437: CVE-2019-11729 nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR &lt; 60.8, Firefox &lt; 68, and Thunderbird &lt; 60.8. CVE-2018-12404: 1657913: CVE-2018-12404 nss: Cache side-channel variant of the Bleichenbacher attack A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41. 1657913: CVE-2018-12404 nss: Cache side-channel variant of the Bleichenbacher attack CVE-2018-0495: 1591163: CVE-2018-0495 ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. 1591163: CVE-2018-0495 openssl: ROHNP - Key Extraction Side Channel in Multiple Crypto Libraries 1591163: CVE-2018-0495 ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries

Remediation

Upgrade Amzn:2018.03 nss-softokn to version 3.44.0-8.44.amzn1 or higher.

References

high severity

ALAS-2020-1355

  • Vulnerable module: nss-softokn-freebl
  • Introduced through: nss-softokn-freebl@3.36.0-5.42.amzn1
  • Fixed in: 3.44.0-8.44.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* nss-softokn-freebl@3.36.0-5.42.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-softokn-freebl package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-11745: 99999: CVE-2019-11745 nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate A heap-based buffer overflow was found in the NSC_EncryptUpdate() function in Mozilla nss. A remote attacker could trigger this flaw via SRTP encrypt or decrypt operations, to execute arbitrary code with the permissions of the user running the application (compiled with nss). While the attack complexity is high, the impact to confidentiality, integrity, and availability are high as well. 1774831: CVE-2019-11745 nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. CVE-2019-11729: 99999: CVE-2019-11729 nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. 1728437: CVE-2019-11729 nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR &lt; 60.8, Firefox &lt; 68, and Thunderbird &lt; 60.8. CVE-2018-12404: 1657913: CVE-2018-12404 nss: Cache side-channel variant of the Bleichenbacher attack A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41. 1657913: CVE-2018-12404 nss: Cache side-channel variant of the Bleichenbacher attack CVE-2018-0495: 1591163: CVE-2018-0495 ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. 1591163: CVE-2018-0495 openssl: ROHNP - Key Extraction Side Channel in Multiple Crypto Libraries 1591163: CVE-2018-0495 ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries

Remediation

Upgrade Amzn:2018.03 nss-softokn-freebl to version 3.44.0-8.44.amzn1 or higher.

References

high severity

ALAS-2020-1355

  • Vulnerable module: nss-sysinit
  • Introduced through: nss-sysinit@3.36.0-5.82.amzn1
  • Fixed in: 3.44.0-7.84.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* nss-sysinit@3.36.0-5.82.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-sysinit package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-11745: 99999: CVE-2019-11745 nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate A heap-based buffer overflow was found in the NSC_EncryptUpdate() function in Mozilla nss. A remote attacker could trigger this flaw via SRTP encrypt or decrypt operations, to execute arbitrary code with the permissions of the user running the application (compiled with nss). While the attack complexity is high, the impact to confidentiality, integrity, and availability are high as well. 1774831: CVE-2019-11745 nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. CVE-2019-11729: 99999: CVE-2019-11729 nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. 1728437: CVE-2019-11729 nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR &lt; 60.8, Firefox &lt; 68, and Thunderbird &lt; 60.8. CVE-2018-12404: 1657913: CVE-2018-12404 nss: Cache side-channel variant of the Bleichenbacher attack A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41. 1657913: CVE-2018-12404 nss: Cache side-channel variant of the Bleichenbacher attack CVE-2018-0495: 1591163: CVE-2018-0495 ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. 1591163: CVE-2018-0495 openssl: ROHNP - Key Extraction Side Channel in Multiple Crypto Libraries 1591163: CVE-2018-0495 ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries

Remediation

Upgrade Amzn:2018.03 nss-sysinit to version 3.44.0-7.84.amzn1 or higher.

References

high severity

ALAS-2020-1355

  • Vulnerable module: nss-tools
  • Introduced through: nss-tools@3.36.0-5.82.amzn1
  • Fixed in: 3.44.0-7.84.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* nss-tools@3.36.0-5.82.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-tools package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-11745: 99999: CVE-2019-11745 nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate A heap-based buffer overflow was found in the NSC_EncryptUpdate() function in Mozilla nss. A remote attacker could trigger this flaw via SRTP encrypt or decrypt operations, to execute arbitrary code with the permissions of the user running the application (compiled with nss). While the attack complexity is high, the impact to confidentiality, integrity, and availability are high as well. 1774831: CVE-2019-11745 nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. CVE-2019-11729: 99999: CVE-2019-11729 nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. 1728437: CVE-2019-11729 nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR &lt; 60.8, Firefox &lt; 68, and Thunderbird &lt; 60.8. CVE-2018-12404: 1657913: CVE-2018-12404 nss: Cache side-channel variant of the Bleichenbacher attack A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41. 1657913: CVE-2018-12404 nss: Cache side-channel variant of the Bleichenbacher attack CVE-2018-0495: 1591163: CVE-2018-0495 ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. 1591163: CVE-2018-0495 openssl: ROHNP - Key Extraction Side Channel in Multiple Crypto Libraries 1591163: CVE-2018-0495 ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries

Remediation

Upgrade Amzn:2018.03 nss-tools to version 3.44.0-7.84.amzn1 or higher.

References

high severity

ALAS-2020-1355

  • Vulnerable module: nss-util
  • Introduced through: nss-util@3.36.0-1.54.amzn1
  • Fixed in: 3.44.0-4.56.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* nss-util@3.36.0-1.54.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-util package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-11745: 99999: CVE-2019-11745 nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate A heap-based buffer overflow was found in the NSC_EncryptUpdate() function in Mozilla nss. A remote attacker could trigger this flaw via SRTP encrypt or decrypt operations, to execute arbitrary code with the permissions of the user running the application (compiled with nss). While the attack complexity is high, the impact to confidentiality, integrity, and availability are high as well. 1774831: CVE-2019-11745 nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. CVE-2019-11729: 99999: CVE-2019-11729 nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. 1728437: CVE-2019-11729 nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR &lt; 60.8, Firefox &lt; 68, and Thunderbird &lt; 60.8. CVE-2018-12404: 1657913: CVE-2018-12404 nss: Cache side-channel variant of the Bleichenbacher attack A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41. 1657913: CVE-2018-12404 nss: Cache side-channel variant of the Bleichenbacher attack CVE-2018-0495: 1591163: CVE-2018-0495 ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. 1591163: CVE-2018-0495 openssl: ROHNP - Key Extraction Side Channel in Multiple Crypto Libraries 1591163: CVE-2018-0495 ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries

Remediation

Upgrade Amzn:2018.03 nss-util to version 3.44.0-4.56.amzn1 or higher.

References

high severity

ALAS-2020-1345

  • Vulnerable module: openssl
  • Introduced through: openssl@1:1.0.2k-16.150.amzn1
  • Fixed in: 1:1.0.2k-16.151.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* openssl@1:1.0.2k-16.150.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-2659: 99999: 1791284: CVE-2020-2659 OpenJDK: Incomplete enforcement of maxDatagramSockets limit in DatagramChannelImpl (Networking, 8231795) Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u241 and 8u231; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2020-2654: 1791217: CVE-2020-2654 OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). 99999: CVE-2020-2604: 1790944: CVE-2020-2604 OpenJDK: Serialization filter changes via jdk.serialFilter property modification (Serialization, 8231422) Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS v3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). 99999: CVE-2020-2601: 1790570: CVE-2020-2601 OpenJDK: Use of unsafe RSA-MD5 checksum in Kerberos TGS (Security, 8229951) Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 6.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N). 99999: CVE-2020-2593: 1790884: CVE-2020-2593 OpenJDK: Incorrect isBuiltinStreamHandler check causing URL normalization issues (Networking, 8228548) Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). 99999: CVE-2020-2590: Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). 1790556: CVE-2020-2590 OpenJDK: Improper checks of SASL message properties in GssKrb5Base (Security, 8226352) 99999: CVE-2020-2583: Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). 1790444: CVE-2020-2583 OpenJDK: Incorrect exception processing during deserialization in BeanContextSupport (Serialization, 8224909) 99999:

Remediation

Upgrade Amzn:2018.03 openssl to version 1:1.0.2k-16.151.amzn1 or higher.

References

high severity

ALAS-2020-1456

  • Vulnerable module: openssl
  • Introduced through: openssl@1:1.0.2k-16.150.amzn1
  • Fixed in: 1:1.0.2k-16.152.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* openssl@1:1.0.2k-16.150.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-1971: 1903409: CVE-2020-1971 openssl: EDIPARTYNAME NULL pointer de-reference A null pointer dereference flaw was found in openssl. A remote attacker, able to control the arguments of the GENERAL_NAME_cmp function, could cause the application, compiled with openssl to crash resulting in a denial of service. The highest threat from this vulnerability is to system availability.

Remediation

Upgrade Amzn:2018.03 openssl to version 1:1.0.2k-16.152.amzn1 or higher.

References

medium severity

ALAS-2020-1379

  • Vulnerable module: bash
  • Introduced through: bash@4.2.46-28.37.amzn1
  • Fixed in: 4.2.46-34.43.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* bash@4.2.46-28.37.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream bash package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-9924: 1691774: CVE-2019-9924 bash: BASH_CMD is writable in restricted bash shells rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.

Remediation

Upgrade Amzn:2018.03 bash to version 4.2.46-34.43.amzn1 or higher.

References

medium severity

ALAS-2019-1294

  • Vulnerable module: curl
  • Introduced through: curl@7.61.1-11.91.amzn1
  • Fixed in: 7.61.1-12.93.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* curl@7.61.1-11.91.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-5482: Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3. 1749652: CVE-2019-5482 curl: heap buffer overflow in function tftp_receive_packet() CVE-2019-5481: Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3. 1749402: CVE-2019-5481 curl: double free due to subsequent call of realloc()

Remediation

Upgrade Amzn:2018.03 curl to version 7.61.1-12.93.amzn1 or higher.

References

medium severity

ALAS-2020-1411

  • Vulnerable module: curl
  • Introduced through: curl@7.61.1-11.91.amzn1
  • Fixed in: 7.61.1-12.94.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* curl@7.61.1-11.91.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-8177: No description is available for this CVE. 1847915: CVE-2020-8177 curl: command line arguments lead to local file overwrite

Remediation

Upgrade Amzn:2018.03 curl to version 7.61.1-12.94.amzn1 or higher.

References

medium severity
new

ALAS-2021-1509

  • Vulnerable module: curl
  • Introduced through: curl@7.61.1-11.91.amzn1
  • Fixed in: 7.61.1-12.98.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* curl@7.61.1-11.91.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2021-22898: A vulnerability was found in curl where a flaw in the option parser for sending NEW_ENV variables libcurl can pass uninitialized data from a stack-based buffer to the server. This issue leads to potentially revealing sensitive internal information to the server using a clear-text network protocol. The highest threat from this vulnerability is to confidentiality. 1964887: CVE-2021-22898 curl: TELNET stack contents disclosure CVE-2021-22876: 1941964: CVE-2021-22876 curl: Leak of authentication credentials in URL via automatic Referer It was discovered that libcurl did not remove authentication credentials from URLs when automatically populating the Referer HTTP request header while handling HTTP redirects. This could lead to exposure of the credentials to the server to which requests were redirected.

Remediation

Upgrade Amzn:2018.03 curl to version 7.61.1-12.98.amzn1 or higher.

References

medium severity

ALAS-2020-1364

  • Vulnerable module: expat
  • Introduced through: expat@2.1.0-10.21.amzn1
  • Fixed in: 2.1.0-11.22.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* expat@2.1.0-10.21.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream expat package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2015-2716: Buffer overflow in the XML parser in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allows remote attackers to execute arbitrary code by providing a large amount of compressed XML data, a related issue to CVE-2015-1283. 99999: CVE-2015-2716 expat: Integer overflow leading to buffer overflow in XML_GetBuffer()

Remediation

Upgrade Amzn:2018.03 expat to version 2.1.0-11.22.amzn1 or higher.

References

medium severity

ALAS-2021-1459

  • Vulnerable module: expat
  • Introduced through: expat@2.1.0-10.21.amzn1
  • Fixed in: 2.1.0-12.24.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* expat@2.1.0-10.21.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream expat package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-15903: In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. 1752592: CVE-2019-15903 expat: heap-based buffer over-read via crafted XML input CVE-2018-20843: It was discovered that the "setElementTypePrefix()" function incorrectly extracted XML namespace prefixes. By tricking an application into processing a specially crafted XML file, an attacker could cause unusually high consumption of memory resources and possibly lead to a denial of service. 1723723: CVE-2018-20843 expat: large number of colons in input makes parser consume high amount of resources, leading to DoS

Remediation

Upgrade Amzn:2018.03 expat to version 2.1.0-12.24.amzn1 or higher.

References

medium severity

ALAS-2019-1326

  • Vulnerable module: file-libs
  • Introduced through: file-libs@5.34-3.37.amzn1
  • Fixed in: 5.37-8.48.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* file-libs@5.34-3.37.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream file-libs package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-18218: 99999: CVE-2019-18218 file: heap-based buffer overflow in cdf_read_property_info in cdf.c cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).

Remediation

Upgrade Amzn:2018.03 file-libs to version 5.37-8.48.amzn1 or higher.

References

medium severity

ALAS-2019-1320

  • Vulnerable module: glibc
  • Introduced through: glibc@2.17-260.175.amzn1
  • Fixed in: 2.17-292.178.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* glibc@2.17-260.175.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2016-10739: In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings. 99999: CVE-2016-10739 glibc: getaddrinfo should reject IP addresses with trailing characters

Remediation

Upgrade Amzn:2018.03 glibc to version 2.17-292.178.amzn1 or higher.

References

medium severity
new

ALAS-2021-1511

  • Vulnerable module: glibc
  • Introduced through: glibc@2.17-260.175.amzn1
  • Fixed in: 2.17-322.181.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* glibc@2.17-260.175.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-29573: A stack buffer overflow flaw was found in glibc in the way the printf family of functions processed an 80-bit long double with a non-canonical bit pattern. This flaw allows an attacker who can control the arguments of these functions with the non-standard long double pattern to trigger an overflow and cause an application crash. The highest threat from this vulnerability is to system availability. 1905213: CVE-2020-29573 glibc: stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern CVE-2020-10029: 1810670: CVE-2020-10029 glibc: stack corruption from crafted input in cosl, sinl, sincosl, and tanl functions A flaw was found in glibc in versions prior to 2.32. Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow. The highest threat from this vulnerability is to system availability. CVE-2019-25013: 1912960: CVE-2019-25013 glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding A flaw was found in glibc. When processing input in the EUC-KR encoding, an invalid input sequence could cause glibc to read beyond the end of a buffer, resulting in a segmentation fault. The highest threat from this vulnerability is to system availability. CVE-2019-19126: A vulnerability was discovered in glibc where the LD_PREFER_MAP_32BIT_EXEC environment variable is not ignored when running binaries with the setuid flag on x86_64 architectures. This allows an attacker to force system to utilize only half of the memory (making the system think the software is 32-bit only), thus lowering the amount of memory being used with address space layout randomization (ASLR). The highest threat is confidentiality although the complexity of attack is high. The affected application must already have other vulnerabilities for this flaw to be usable. 1774681: CVE-2019-19126 glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries

Remediation

Upgrade Amzn:2018.03 glibc to version 2.17-322.181.amzn1 or higher.

References

medium severity

ALAS-2019-1320

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.17-260.175.amzn1
  • Fixed in: 2.17-292.178.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* glibc-common@2.17-260.175.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc-common package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2016-10739: In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings. 99999: CVE-2016-10739 glibc: getaddrinfo should reject IP addresses with trailing characters

Remediation

Upgrade Amzn:2018.03 glibc-common to version 2.17-292.178.amzn1 or higher.

References

medium severity
new

ALAS-2021-1511

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.17-260.175.amzn1
  • Fixed in: 2.17-322.181.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* glibc-common@2.17-260.175.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc-common package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-29573: A stack buffer overflow flaw was found in glibc in the way the printf family of functions processed an 80-bit long double with a non-canonical bit pattern. This flaw allows an attacker who can control the arguments of these functions with the non-standard long double pattern to trigger an overflow and cause an application crash. The highest threat from this vulnerability is to system availability. 1905213: CVE-2020-29573 glibc: stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern CVE-2020-10029: 1810670: CVE-2020-10029 glibc: stack corruption from crafted input in cosl, sinl, sincosl, and tanl functions A flaw was found in glibc in versions prior to 2.32. Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow. The highest threat from this vulnerability is to system availability. CVE-2019-25013: 1912960: CVE-2019-25013 glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding A flaw was found in glibc. When processing input in the EUC-KR encoding, an invalid input sequence could cause glibc to read beyond the end of a buffer, resulting in a segmentation fault. The highest threat from this vulnerability is to system availability. CVE-2019-19126: A vulnerability was discovered in glibc where the LD_PREFER_MAP_32BIT_EXEC environment variable is not ignored when running binaries with the setuid flag on x86_64 architectures. This allows an attacker to force system to utilize only half of the memory (making the system think the software is 32-bit only), thus lowering the amount of memory being used with address space layout randomization (ASLR). The highest threat is confidentiality although the complexity of attack is high. The affected application must already have other vulnerabilities for this flaw to be usable. 1774681: CVE-2019-19126 glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries

Remediation

Upgrade Amzn:2018.03 glibc-common to version 2.17-322.181.amzn1 or higher.

References

medium severity

ALAS-2020-1374

  • Vulnerable module: krb5-libs
  • Introduced through: krb5-libs@1.15.1-34.44.amzn1
  • Fixed in: 1.15.1-46.48.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* krb5-libs@1.15.1-34.44.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream krb5-libs package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2018-20217: 1665296: CVE-2018-20217 krb5: Reachable assertion in the KDC using S4U2Self requests A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.

Remediation

Upgrade Amzn:2018.03 krb5-libs to version 1.15.1-46.48.amzn1 or higher.

References

medium severity

ALAS-2021-1458

  • Vulnerable module: libcom_err
  • Introduced through: libcom_err@1.43.5-2.43.amzn1
  • Fixed in: 1.43.5-2.44.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* libcom_err@1.43.5-2.43.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream libcom_err package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-5188: 1790048: CVE-2019-5188 e2fsprogs: Out-of-bounds write in e2fsck/rehash.c A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. CVE-2019-5094: 1768555: CVE-2019-5094 e2fsprogs: Crafted ext4 partition leads to out-of-bounds write An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.

Remediation

Upgrade Amzn:2018.03 libcom_err to version 1.43.5-2.44.amzn1 or higher.

References

medium severity

ALAS-2019-1294

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.61.1-11.91.amzn1
  • Fixed in: 7.61.1-12.93.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* libcurl@7.61.1-11.91.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream libcurl package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-5482: Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3. 1749652: CVE-2019-5482 curl: heap buffer overflow in function tftp_receive_packet() CVE-2019-5481: Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3. 1749402: CVE-2019-5481 curl: double free due to subsequent call of realloc()

Remediation

Upgrade Amzn:2018.03 libcurl to version 7.61.1-12.93.amzn1 or higher.

References

medium severity

ALAS-2020-1411

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.61.1-11.91.amzn1
  • Fixed in: 7.61.1-12.94.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* libcurl@7.61.1-11.91.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream libcurl package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-8177: No description is available for this CVE. 1847915: CVE-2020-8177 curl: command line arguments lead to local file overwrite

Remediation

Upgrade Amzn:2018.03 libcurl to version 7.61.1-12.94.amzn1 or higher.

References

medium severity
new

ALAS-2021-1509

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.61.1-11.91.amzn1
  • Fixed in: 7.61.1-12.98.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* libcurl@7.61.1-11.91.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream libcurl package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2021-22898: A vulnerability was found in curl where a flaw in the option parser for sending NEW_ENV variables libcurl can pass uninitialized data from a stack-based buffer to the server. This issue leads to potentially revealing sensitive internal information to the server using a clear-text network protocol. The highest threat from this vulnerability is to confidentiality. 1964887: CVE-2021-22898 curl: TELNET stack contents disclosure CVE-2021-22876: 1941964: CVE-2021-22876 curl: Leak of authentication credentials in URL via automatic Referer It was discovered that libcurl did not remove authentication credentials from URLs when automatically populating the Referer HTTP request header while handling HTTP redirects. This could lead to exposure of the credentials to the server to which requests were redirected.

Remediation

Upgrade Amzn:2018.03 libcurl to version 7.61.1-12.98.amzn1 or higher.

References

medium severity

ALAS-2020-1361

  • Vulnerable module: libicu
  • Introduced through: libicu@50.1.2-11.12.amzn1
  • Fixed in: 50.2-4.0.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* libicu@50.1.2-11.12.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream libicu package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-10531: 1807349: CVE-2020-10531 ICU: Integer overflow in UnicodeString::doAppend() An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.

Remediation

Upgrade Amzn:2018.03 libicu to version 50.2-4.0.amzn1 or higher.

References

medium severity

ALAS-2019-1327

  • Vulnerable module: libidn2
  • Introduced through: libidn2@0.16-1.2.amzn1
  • Fixed in: 2.3.0-1.4.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* libidn2@0.16-1.2.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream libidn2 package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-18224: idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string. 99999: CVE-2019-18224 libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c CVE-2019-12290: 99999:

Remediation

Upgrade Amzn:2018.03 libidn2 to version 2.3.0-1.4.amzn1 or higher.

References

medium severity

ALAS-2020-1438

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.3.52.amzn1
  • Fixed in: 2.9.1-6.4.41.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* libxml2@2.9.1-6.3.52.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream libxml2 package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-7595: 1799786: CVE-2020-7595 libxml2: infinite loop in xmlStringLenDecodeEntities in some end-of-file situations xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. CVE-2019-20388: 1799734: CVE-2019-20388 libxml2: memory leak in xmlSchemaPreRun in xmlschemas.c A memory leak was found in the xmlSchemaValidateStream function of libxml2. Applications that use this library may be vulnerable to memory not being freed leading to a denial of service. System availability is the highest threat from this vulnerability. CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs. 1788856: CVE-2019-19956 libxml2: memory leak in xmlParseBalancedChunkMemoryRecover in parser.c

Remediation

Upgrade Amzn:2018.03 libxml2 to version 2.9.1-6.4.41.amzn1 or higher.

References

medium severity

ALAS-2020-1438

  • Vulnerable module: libxml2-python27
  • Introduced through: libxml2-python27@2.9.1-6.3.52.amzn1
  • Fixed in: 2.9.1-6.4.41.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* libxml2-python27@2.9.1-6.3.52.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream libxml2-python27 package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-7595: 1799786: CVE-2020-7595 libxml2: infinite loop in xmlStringLenDecodeEntities in some end-of-file situations xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. CVE-2019-20388: 1799734: CVE-2019-20388 libxml2: memory leak in xmlSchemaPreRun in xmlschemas.c A memory leak was found in the xmlSchemaValidateStream function of libxml2. Applications that use this library may be vulnerable to memory not being freed leading to a denial of service. System availability is the highest threat from this vulnerability. CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs. 1788856: CVE-2019-19956 libxml2: memory leak in xmlParseBalancedChunkMemoryRecover in parser.c

Remediation

Upgrade Amzn:2018.03 libxml2-python27 to version 2.9.1-6.4.41.amzn1 or higher.

References

medium severity
new

ALAS-2021-1522

  • Vulnerable module: nspr
  • Introduced through: nspr@4.19.0-1.43.amzn1
  • Fixed in: 4.25.0-2.45.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* nspr@4.19.0-1.43.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream nspr package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-6829: A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. 1826187: CVE-2020-6829 nss: Side channel attack on ECDSA signature generation CVE-2020-12403: A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. 1868931: CVE-2020-12403 nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read CVE-2020-12402: A flaw was found in NSS, where it is vulnerable to RSA key generation cache timing side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. The highest threat to this flaw is to confidentiality. 1826231: CVE-2020-12402 nss: Side channel vulnerabilities during RSA key generation CVE-2020-12401: A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. 1851294: CVE-2020-12401 nss: ECDSA timing attack mitigation bypass CVE-2020-12400: A side-channel flaw was found in NSS, in the way P-384 and P-521 curves are used in the generation of EDSA signatures, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. 1853983: CVE-2020-12400 nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function CVE-2019-17023: 1791225: CVE-2019-17023 nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state A protocol downgrade flaw was found in Network Security Services (NSS). After a HelloRetryRequest has been sent, the client may negotiate a lower protocol than TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. CVE-2019-17006: 1775916: CVE-2019-17006 nss: Check length of inputs for cryptographic primitives A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability. CVE-2019-11756: 1774835: CVE-2019-11756 nss: Use-after-free in sftk_FreeSession due to improper refcounting A use-after-free flaw was found in Mozilla Network Security Services (NSS) related to PK11 session handling. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled with NSS. CVE-2019-11727: 1730988: CVE-2019-11727 nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. CVE-2019-11719: 1728436: CVE-2019-11719 nss: Out-of-bounds read when importing curve25519 private key When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

Remediation

Upgrade Amzn:2018.03 nspr to version 4.25.0-2.45.amzn1 or higher.

References

medium severity
new

ALAS-2021-1518

  • Vulnerable module: nss
  • Introduced through: nss@3.36.0-5.82.amzn1
  • Fixed in: 3.53.1-7.85.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* nss@3.36.0-5.82.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream nss package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-25648: A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. 1887319: CVE-2020-25648 nss: TLS 1.3 CCS flood remote DoS Attack

Remediation

Upgrade Amzn:2018.03 nss to version 3.53.1-7.85.amzn1 or higher.

References

medium severity
new

ALAS-2021-1522

  • Vulnerable module: nss-softokn
  • Introduced through: nss-softokn@3.36.0-5.42.amzn1
  • Fixed in: 3.53.1-6.46.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* nss-softokn@3.36.0-5.42.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-softokn package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-6829: A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. 1826187: CVE-2020-6829 nss: Side channel attack on ECDSA signature generation CVE-2020-12403: A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. 1868931: CVE-2020-12403 nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read CVE-2020-12402: A flaw was found in NSS, where it is vulnerable to RSA key generation cache timing side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. The highest threat to this flaw is to confidentiality. 1826231: CVE-2020-12402 nss: Side channel vulnerabilities during RSA key generation CVE-2020-12401: A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. 1851294: CVE-2020-12401 nss: ECDSA timing attack mitigation bypass CVE-2020-12400: A side-channel flaw was found in NSS, in the way P-384 and P-521 curves are used in the generation of EDSA signatures, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. 1853983: CVE-2020-12400 nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function CVE-2019-17023: 1791225: CVE-2019-17023 nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state A protocol downgrade flaw was found in Network Security Services (NSS). After a HelloRetryRequest has been sent, the client may negotiate a lower protocol than TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. CVE-2019-17006: 1775916: CVE-2019-17006 nss: Check length of inputs for cryptographic primitives A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability. CVE-2019-11756: 1774835: CVE-2019-11756 nss: Use-after-free in sftk_FreeSession due to improper refcounting A use-after-free flaw was found in Mozilla Network Security Services (NSS) related to PK11 session handling. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled with NSS. CVE-2019-11727: 1730988: CVE-2019-11727 nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. CVE-2019-11719: 1728436: CVE-2019-11719 nss: Out-of-bounds read when importing curve25519 private key When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

Remediation

Upgrade Amzn:2018.03 nss-softokn to version 3.53.1-6.46.amzn1 or higher.

References

medium severity
new

ALAS-2021-1522

  • Vulnerable module: nss-softokn-freebl
  • Introduced through: nss-softokn-freebl@3.36.0-5.42.amzn1
  • Fixed in: 3.53.1-6.46.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* nss-softokn-freebl@3.36.0-5.42.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-softokn-freebl package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-6829: A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. 1826187: CVE-2020-6829 nss: Side channel attack on ECDSA signature generation CVE-2020-12403: A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. 1868931: CVE-2020-12403 nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read CVE-2020-12402: A flaw was found in NSS, where it is vulnerable to RSA key generation cache timing side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. The highest threat to this flaw is to confidentiality. 1826231: CVE-2020-12402 nss: Side channel vulnerabilities during RSA key generation CVE-2020-12401: A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. 1851294: CVE-2020-12401 nss: ECDSA timing attack mitigation bypass CVE-2020-12400: A side-channel flaw was found in NSS, in the way P-384 and P-521 curves are used in the generation of EDSA signatures, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. 1853983: CVE-2020-12400 nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function CVE-2019-17023: 1791225: CVE-2019-17023 nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state A protocol downgrade flaw was found in Network Security Services (NSS). After a HelloRetryRequest has been sent, the client may negotiate a lower protocol than TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. CVE-2019-17006: 1775916: CVE-2019-17006 nss: Check length of inputs for cryptographic primitives A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability. CVE-2019-11756: 1774835: CVE-2019-11756 nss: Use-after-free in sftk_FreeSession due to improper refcounting A use-after-free flaw was found in Mozilla Network Security Services (NSS) related to PK11 session handling. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled with NSS. CVE-2019-11727: 1730988: CVE-2019-11727 nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. CVE-2019-11719: 1728436: CVE-2019-11719 nss: Out-of-bounds read when importing curve25519 private key When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

Remediation

Upgrade Amzn:2018.03 nss-softokn-freebl to version 3.53.1-6.46.amzn1 or higher.

References

medium severity
new

ALAS-2021-1518

  • Vulnerable module: nss-sysinit
  • Introduced through: nss-sysinit@3.36.0-5.82.amzn1
  • Fixed in: 3.53.1-7.85.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* nss-sysinit@3.36.0-5.82.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-sysinit package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-25648: A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. 1887319: CVE-2020-25648 nss: TLS 1.3 CCS flood remote DoS Attack

Remediation

Upgrade Amzn:2018.03 nss-sysinit to version 3.53.1-7.85.amzn1 or higher.

References

medium severity
new

ALAS-2021-1518

  • Vulnerable module: nss-tools
  • Introduced through: nss-tools@3.36.0-5.82.amzn1
  • Fixed in: 3.53.1-7.85.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* nss-tools@3.36.0-5.82.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-tools package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-25648: A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. 1887319: CVE-2020-25648 nss: TLS 1.3 CCS flood remote DoS Attack

Remediation

Upgrade Amzn:2018.03 nss-tools to version 3.53.1-7.85.amzn1 or higher.

References

medium severity
new

ALAS-2021-1522

  • Vulnerable module: nss-util
  • Introduced through: nss-util@3.36.0-1.54.amzn1
  • Fixed in: 3.53.1-1.58.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* nss-util@3.36.0-1.54.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-util package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-6829: A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. 1826187: CVE-2020-6829 nss: Side channel attack on ECDSA signature generation CVE-2020-12403: A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. 1868931: CVE-2020-12403 nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read CVE-2020-12402: A flaw was found in NSS, where it is vulnerable to RSA key generation cache timing side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. The highest threat to this flaw is to confidentiality. 1826231: CVE-2020-12402 nss: Side channel vulnerabilities during RSA key generation CVE-2020-12401: A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. 1851294: CVE-2020-12401 nss: ECDSA timing attack mitigation bypass CVE-2020-12400: A side-channel flaw was found in NSS, in the way P-384 and P-521 curves are used in the generation of EDSA signatures, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. 1853983: CVE-2020-12400 nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function CVE-2019-17023: 1791225: CVE-2019-17023 nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state A protocol downgrade flaw was found in Network Security Services (NSS). After a HelloRetryRequest has been sent, the client may negotiate a lower protocol than TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. CVE-2019-17006: 1775916: CVE-2019-17006 nss: Check length of inputs for cryptographic primitives A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability. CVE-2019-11756: 1774835: CVE-2019-11756 nss: Use-after-free in sftk_FreeSession due to improper refcounting A use-after-free flaw was found in Mozilla Network Security Services (NSS) related to PK11 session handling. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled with NSS. CVE-2019-11727: 1730988: CVE-2019-11727 nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. CVE-2019-11719: 1728436: CVE-2019-11719 nss: Out-of-bounds read when importing curve25519 private key When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

Remediation

Upgrade Amzn:2018.03 nss-util to version 3.53.1-1.58.amzn1 or higher.

References

medium severity

ALAS-2021-1482

  • Vulnerable module: openssl
  • Introduced through: openssl@1:1.0.2k-16.150.amzn1
  • Fixed in: 1:1.0.2k-16.153.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* openssl@1:1.0.2k-16.150.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2021-23841: The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x). The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. 1930310: CVE-2021-23841 openssl: NULL pointer dereference in X509_issuer_and_serial_hash() CVE-2021-23840: 1930324: CVE-2021-23840 openssl: integer overflow in CipherUpdate Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissible length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

Remediation

Upgrade Amzn:2018.03 openssl to version 1:1.0.2k-16.153.amzn1 or higher.

References

medium severity

ALAS-2019-1314

  • Vulnerable module: python27
  • Introduced through: python27@2.7.16-1.129.amzn1
  • Fixed in: 2.7.16-1.130.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* python27@2.7.16-1.129.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream python27 package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-16056: 99999: CVE-2019-16056 python: email.utils.parseaddr wrongly parses email addresses An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.

Remediation

Upgrade Amzn:2018.03 python27 to version 2.7.16-1.130.amzn1 or higher.

References

medium severity

ALAS-2020-1342

  • Vulnerable module: python27
  • Introduced through: python27@2.7.16-1.129.amzn1
  • Fixed in: 2.7.16-1.131.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* python27@2.7.16-1.129.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream python27 package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-16935: The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server. 1763229: CVE-2019-16935 python: XSS vulnerability in the documentation XML-RPC server in server_title field

Remediation

Upgrade Amzn:2018.03 python27 to version 2.7.16-1.131.amzn1 or higher.

References

medium severity

ALAS-2020-1375

  • Vulnerable module: python27
  • Introduced through: python27@2.7.16-1.129.amzn1
  • Fixed in: 2.7.18-1.137.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* python27@2.7.16-1.129.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream python27 package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-18348: An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.) 1727276: CVE-2019-18348 python: CRLF injection via the host part of the url passed to urlopen() CVE-2018-20852: http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3. 1740347: CVE-2018-20852 python: Cookie domain check returns incorrect results

Remediation

Upgrade Amzn:2018.03 python27 to version 2.7.18-1.137.amzn1 or higher.

References

medium severity

ALAS-2020-1407

  • Vulnerable module: python27
  • Introduced through: python27@2.7.16-1.129.amzn1
  • Fixed in: 2.7.18-1.138.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* python27@2.7.16-1.129.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream python27 package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-8492: 1809065: CVE-2020-8492 python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

Remediation

Upgrade Amzn:2018.03 python27 to version 2.7.18-1.138.amzn1 or higher.

References

medium severity

ALAS-2020-1427

  • Vulnerable module: python27
  • Introduced through: python27@2.7.16-1.129.amzn1
  • Fixed in: 2.7.18-2.139.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* python27@2.7.16-1.129.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream python27 package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-20907: In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. 1856481: CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive

Remediation

Upgrade Amzn:2018.03 python27 to version 2.7.18-2.139.amzn1 or higher.

References

medium severity

ALAS-2020-1454

  • Vulnerable module: python27
  • Introduced through: python27@2.7.16-1.129.amzn1
  • Fixed in: 2.7.18-2.140.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* python27@2.7.16-1.129.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream python27 package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-26116: http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request. 1883014: CVE-2020-26116 python: CRLF injection via HTTP request method in httplib/http.client

Remediation

Upgrade Amzn:2018.03 python27 to version 2.7.18-2.140.amzn1 or higher.

References

medium severity

ALAS-2021-1484

  • Vulnerable module: python27
  • Introduced through: python27@2.7.16-1.129.amzn1
  • Fixed in: 2.7.18-2.141.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* python27@2.7.16-1.129.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream python27 package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2021-3177: A flaw was found in python. A stack-based buffer overflow was discovered in the ctypes module provided within Python. Applications that use ctypes without carefully validating the input passed to it may be vulnerable to this flaw, which would allow an attacker to overflow a buffer on the stack and crash the application. The highest threat from this vulnerability is to system availability. 1918168: CVE-2021-3177 python: stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c

Remediation

Upgrade Amzn:2018.03 python27 to version 2.7.18-2.141.amzn1 or higher.

References

medium severity

ALAS-2019-1314

  • Vulnerable module: python27-libs
  • Introduced through: python27-libs@2.7.16-1.129.amzn1
  • Fixed in: 2.7.16-1.130.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* python27-libs@2.7.16-1.129.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream python27-libs package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-16056: 99999: CVE-2019-16056 python: email.utils.parseaddr wrongly parses email addresses An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.

Remediation

Upgrade Amzn:2018.03 python27-libs to version 2.7.16-1.130.amzn1 or higher.

References

medium severity

ALAS-2020-1342

  • Vulnerable module: python27-libs
  • Introduced through: python27-libs@2.7.16-1.129.amzn1
  • Fixed in: 2.7.16-1.131.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* python27-libs@2.7.16-1.129.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream python27-libs package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-16935: The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server. 1763229: CVE-2019-16935 python: XSS vulnerability in the documentation XML-RPC server in server_title field

Remediation

Upgrade Amzn:2018.03 python27-libs to version 2.7.16-1.131.amzn1 or higher.

References

medium severity

ALAS-2020-1375

  • Vulnerable module: python27-libs
  • Introduced through: python27-libs@2.7.16-1.129.amzn1
  • Fixed in: 2.7.18-1.137.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* python27-libs@2.7.16-1.129.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream python27-libs package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-18348: An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.) 1727276: CVE-2019-18348 python: CRLF injection via the host part of the url passed to urlopen() CVE-2018-20852: http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3. 1740347: CVE-2018-20852 python: Cookie domain check returns incorrect results

Remediation

Upgrade Amzn:2018.03 python27-libs to version 2.7.18-1.137.amzn1 or higher.

References

medium severity

ALAS-2020-1407

  • Vulnerable module: python27-libs
  • Introduced through: python27-libs@2.7.16-1.129.amzn1
  • Fixed in: 2.7.18-1.138.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* python27-libs@2.7.16-1.129.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream python27-libs package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-8492: 1809065: CVE-2020-8492 python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

Remediation

Upgrade Amzn:2018.03 python27-libs to version 2.7.18-1.138.amzn1 or higher.

References

medium severity

ALAS-2020-1427

  • Vulnerable module: python27-libs
  • Introduced through: python27-libs@2.7.16-1.129.amzn1
  • Fixed in: 2.7.18-2.139.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* python27-libs@2.7.16-1.129.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream python27-libs package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-20907: In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. 1856481: CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive

Remediation

Upgrade Amzn:2018.03 python27-libs to version 2.7.18-2.139.amzn1 or higher.

References

medium severity

ALAS-2020-1454

  • Vulnerable module: python27-libs
  • Introduced through: python27-libs@2.7.16-1.129.amzn1
  • Fixed in: 2.7.18-2.140.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* python27-libs@2.7.16-1.129.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream python27-libs package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-26116: http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request. 1883014: CVE-2020-26116 python: CRLF injection via HTTP request method in httplib/http.client

Remediation

Upgrade Amzn:2018.03 python27-libs to version 2.7.18-2.140.amzn1 or higher.

References

medium severity

ALAS-2021-1484

  • Vulnerable module: python27-libs
  • Introduced through: python27-libs@2.7.16-1.129.amzn1
  • Fixed in: 2.7.18-2.141.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* python27-libs@2.7.16-1.129.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream python27-libs package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2021-3177: A flaw was found in python. A stack-based buffer overflow was discovered in the ctypes module provided within Python. Applications that use ctypes without carefully validating the input passed to it may be vulnerable to this flaw, which would allow an attacker to overflow a buffer on the stack and crash the application. The highest threat from this vulnerability is to system availability. 1918168: CVE-2021-3177 python: stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c

Remediation

Upgrade Amzn:2018.03 python27-libs to version 2.7.18-2.141.amzn1 or higher.

References

medium severity
new

ALAS-2021-1521

  • Vulnerable module: rpm
  • Introduced through: rpm@4.11.3-21.75.amzn1
  • Fixed in: 4.11.3-40.79.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* rpm@4.11.3-21.75.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream rpm package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2021-3421: A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. 1927747: CVE-2021-3421 rpm: unsigned signature header leads to string injection into an rpm database CVE-2021-20271: 1934125: CVE-2021-20271 rpm: Signature checks bypass via corrupted rpm package A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.

Remediation

Upgrade Amzn:2018.03 rpm to version 4.11.3-40.79.amzn1 or higher.

References

medium severity
new

ALAS-2021-1521

  • Vulnerable module: rpm-build-libs
  • Introduced through: rpm-build-libs@4.11.3-21.75.amzn1
  • Fixed in: 4.11.3-40.79.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* rpm-build-libs@4.11.3-21.75.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream rpm-build-libs package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2021-3421: A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. 1927747: CVE-2021-3421 rpm: unsigned signature header leads to string injection into an rpm database CVE-2021-20271: 1934125: CVE-2021-20271 rpm: Signature checks bypass via corrupted rpm package A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.

Remediation

Upgrade Amzn:2018.03 rpm-build-libs to version 4.11.3-40.79.amzn1 or higher.

References

medium severity
new

ALAS-2021-1521

  • Vulnerable module: rpm-libs
  • Introduced through: rpm-libs@4.11.3-21.75.amzn1
  • Fixed in: 4.11.3-40.79.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* rpm-libs@4.11.3-21.75.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream rpm-libs package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2021-3421: A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. 1927747: CVE-2021-3421 rpm: unsigned signature header leads to string injection into an rpm database CVE-2021-20271: 1934125: CVE-2021-20271 rpm: Signature checks bypass via corrupted rpm package A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.

Remediation

Upgrade Amzn:2018.03 rpm-libs to version 4.11.3-40.79.amzn1 or higher.

References

medium severity
new

ALAS-2021-1521

  • Vulnerable module: rpm-python27
  • Introduced through: rpm-python27@4.11.3-21.75.amzn1
  • Fixed in: 4.11.3-40.79.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* rpm-python27@4.11.3-21.75.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream rpm-python27 package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2021-3421: A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. 1927747: CVE-2021-3421 rpm: unsigned signature header leads to string injection into an rpm database CVE-2021-20271: 1934125: CVE-2021-20271 rpm: Signature checks bypass via corrupted rpm package A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.

Remediation

Upgrade Amzn:2018.03 rpm-python27 to version 4.11.3-40.79.amzn1 or higher.

References

low severity

ALAS-2020-1444

  • Vulnerable module: curl
  • Introduced through: curl@7.61.1-11.91.amzn1
  • Fixed in: 7.61.1-12.95.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* curl@7.61.1-11.91.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-8231: A flaw was found in libcurl from versions 7.29.0 through 7.71.1. An application that performs multiple requests with libcurl's multi API, and sets the CURLOPT_CONNECT_ONLY option, might experience libcurl using the wrong connection. The highest threat from this vulnerability is to data confidentiality. 1868032: CVE-2020-8231 curl: Expired pointer dereference via multi API with CURLOPT_CONNECT_ONLY option set

Remediation

Upgrade Amzn:2018.03 curl to version 7.61.1-12.95.amzn1 or higher.

References

low severity

ALAS-2020-1444

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.61.1-11.91.amzn1
  • Fixed in: 7.61.1-12.95.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* libcurl@7.61.1-11.91.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream libcurl package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-8231: A flaw was found in libcurl from versions 7.29.0 through 7.71.1. An application that performs multiple requests with libcurl's multi API, and sets the CURLOPT_CONNECT_ONLY option, might experience libcurl using the wrong connection. The highest threat from this vulnerability is to data confidentiality. 1868032: CVE-2020-8231 curl: Expired pointer dereference via multi API with CURLOPT_CONNECT_ONLY option set

Remediation

Upgrade Amzn:2018.03 libcurl to version 7.61.1-12.95.amzn1 or higher.

References

low severity

ALAS-2020-1344

  • Vulnerable module: openssl
  • Introduced through: openssl@1:1.0.2k-16.150.amzn1
  • Fixed in: 1:1.0.2k-16.151.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20190826@* openssl@1:1.0.2k-16.150.amzn1

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl package. See Remediation section below for Amzn:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-1563: In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). 1752100: CVE-2019-1563 openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey

Remediation

Upgrade Amzn:2018.03 openssl to version 1:1.0.2k-16.151.amzn1 or higher.

References