Vulnerabilities

 575 via 575 paths

Dependencies

 115

Source

 Group 6 Copy Created with Sketch. Docker

Target OS

 amzn:2
Test your Docker Hub image against our market leading vulnerability database Sign up for free
Severity
  • 2
  • 187
  • 289
  • 97
Status
  • 575
  • 0
  • 0

critical severity

Out-of-bounds Read

  • Vulnerable module: apr
  • Introduced through: apr@1.7.0-9.amzn2
  • Fixed in: 0:1.7.2-1.amzn2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto apr@1.7.0-9.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream apr package and not the apr package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.

Remediation

Upgrade Amazon-Linux:2 apr to version 0:1.7.2-1.amzn2 or higher.
This issue was patched in ALAS2-2023-1936.

References

Out-of-bounds Read vulnerability report

critical severity

Integer Overflow or Wraparound

  • Vulnerable module: apr
  • Introduced through: apr@1.7.0-9.amzn2
  • Fixed in: 0:1.7.2-1.amzn2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto apr@1.7.0-9.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream apr package and not the apr package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime (APR) version 1.7.0.

Remediation

Upgrade Amazon-Linux:2 apr to version 0:1.7.2-1.amzn2 or higher.
This issue was patched in ALAS2-2023-1936.

References

Integer Overflow or Wraparound vulnerability report

high severity

Out-of-Bounds

  • Vulnerable module: glib2
  • Introduced through: glib2@2.56.1-9.amzn2.0.2
  • Fixed in: 0:2.56.1-9.amzn2.0.3

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glib2@2.56.1-9.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glib2 package and not the glib2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

In GNOME GLib 2.56.1, g_markup_parse_context_end_parse() in gmarkup.c has a NULL pointer dereference.

Remediation

Upgrade Amazon-Linux:2 glib2 to version 0:2.56.1-9.amzn2.0.3 or higher.
This issue was patched in ALAS2-2023-2049.

References

Out-of-Bounds vulnerability report

high severity

Out-of-bounds Write

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.828-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0765.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.828-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1902.

References

Out-of-bounds Write vulnerability report

high severity

Out-of-bounds Write

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.828-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0765.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.828-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1902.

References

Out-of-bounds Write vulnerability report

high severity

Insufficient Verification of Data Authenticity

  • Vulnerable module: ca-certificates
  • Introduced through: ca-certificates@2021.2.50-72.amzn2.0.3
  • Fixed in: 0:2021.2.50-72.amzn2.0.8

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ca-certificates@2021.2.50-72.amzn2.0.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ca-certificates package and not the ca-certificates package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.

Remediation

Upgrade Amazon-Linux:2 ca-certificates to version 0:2021.2.50-72.amzn2.0.8 or higher.
This issue was patched in ALAS2-2023-2224.

References

Insufficient Verification of Data Authenticity vulnerability report

high severity

Expired Pointer Dereference

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.amzn2.5.5
  • Fixed in: 0:2.9.1-6.amzn2.5.19

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libxml2@2.9.1-6.amzn2.5.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.

Remediation

Upgrade Amazon-Linux:2 libxml2 to version 0:2.9.1-6.amzn2.5.19 or higher.
This issue was patched in ALAS2-2025-2938.

References

Expired Pointer Dereference vulnerability report

high severity

Out-of-bounds Read

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.amzn2.5.5
  • Fixed in: 0:2.9.1-6.amzn2.5.19

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libxml2@2.9.1-6.amzn2.5.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.

Remediation

Upgrade Amazon-Linux:2 libxml2 to version 0:2.9.1-6.amzn2.5.19 or higher.
This issue was patched in ALAS2-2025-2938.

References

Out-of-bounds Read vulnerability report

high severity

Out-of-bounds Write

  • Vulnerable module: glibc
  • Introduced through: glibc@2.26-60.amzn2
  • Fixed in: 0:2.26-64.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glibc@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

Remediation

Upgrade Amazon-Linux:2 glibc to version 0:2.26-64.amzn2.0.1 or higher.
This issue was patched in ALAS2-2024-2521.

References

Out-of-bounds Write vulnerability report

high severity

Out-of-bounds Write

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.26-60.amzn2
  • Fixed in: 0:2.26-64.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glibc-common@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc-common package and not the glibc-common package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

Remediation

Upgrade Amazon-Linux:2 glibc-common to version 0:2.26-64.amzn2.0.1 or higher.
This issue was patched in ALAS2-2024-2521.

References

Out-of-bounds Write vulnerability report

high severity

Out-of-bounds Write

  • Vulnerable module: glibc-langpack-en
  • Introduced through: glibc-langpack-en@2.26-60.amzn2
  • Fixed in: 0:2.26-64.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glibc-langpack-en@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc-langpack-en package and not the glibc-langpack-en package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

Remediation

Upgrade Amazon-Linux:2 glibc-langpack-en to version 0:2.26-64.amzn2.0.1 or higher.
This issue was patched in ALAS2-2024-2521.

References

Out-of-bounds Write vulnerability report

high severity

Out-of-bounds Write

  • Vulnerable module: glibc-minimal-langpack
  • Introduced through: glibc-minimal-langpack@2.26-60.amzn2
  • Fixed in: 0:2.26-64.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glibc-minimal-langpack@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc-minimal-langpack package and not the glibc-minimal-langpack package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

Remediation

Upgrade Amazon-Linux:2 glibc-minimal-langpack to version 0:2.26-64.amzn2.0.1 or higher.
This issue was patched in ALAS2-2024-2521.

References

Out-of-bounds Write vulnerability report

high severity

Integer Overflow or Wraparound

  • Vulnerable module: krb5-libs
  • Introduced through: krb5-libs@1.15.1-37.amzn2.2.4
  • Fixed in: 0:1.15.1-55.amzn2.2.5

Detailed paths

  • Introduced through: tomcat@jdk17-corretto krb5-libs@1.15.1-37.amzn2.2.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5-libs package and not the krb5-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."

Remediation

Upgrade Amazon-Linux:2 krb5-libs to version 0:1.15.1-55.amzn2.2.5 or higher.
This issue was patched in ALAS2-2023-1915.

References

Integer Overflow or Wraparound vulnerability report

high severity

Out-of-bounds Write

  • Vulnerable module: libcrypt
  • Introduced through: libcrypt@2.26-60.amzn2
  • Fixed in: 0:2.26-64.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcrypt@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcrypt package and not the libcrypt package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

Remediation

Upgrade Amazon-Linux:2 libcrypt to version 0:2.26-64.amzn2.0.1 or higher.
This issue was patched in ALAS2-2024-2521.

References

Out-of-bounds Write vulnerability report

high severity

Out-of-Bounds

  • Vulnerable module: nss
  • Introduced through: nss@3.67.0-4.amzn2.0.2
  • Fixed in: 0:3.79.0-4.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto nss@3.67.0-4.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream nss package and not the nss package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes being mishandled. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.

Remediation

Upgrade Amazon-Linux:2 nss to version 0:3.79.0-4.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1992.

References

Out-of-Bounds vulnerability report

high severity

Out-of-Bounds

  • Vulnerable module: nss-sysinit
  • Introduced through: nss-sysinit@3.67.0-4.amzn2.0.2
  • Fixed in: 0:3.79.0-4.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto nss-sysinit@3.67.0-4.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream nss-sysinit package and not the nss-sysinit package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes being mishandled. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.

Remediation

Upgrade Amazon-Linux:2 nss-sysinit to version 0:3.79.0-4.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1992.

References

Out-of-Bounds vulnerability report

high severity

Out-of-Bounds

  • Vulnerable module: nss-tools
  • Introduced through: nss-tools@3.67.0-4.amzn2.0.2
  • Fixed in: 0:3.79.0-4.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto nss-tools@3.67.0-4.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream nss-tools package and not the nss-tools package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes being mishandled. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.

Remediation

Upgrade Amazon-Linux:2 nss-tools to version 0:3.79.0-4.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1992.

References

Out-of-Bounds vulnerability report

high severity

Information Exposure

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.16+8-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u451-perf, 11.0.27, 17.0.15, 21.0.7, 24.0.1; Oracle GraalVM for JDK: 17.0.15, 21.0.7 and 24.0.1; Oracle GraalVM Enterprise Edition: 21.3.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. While the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 8.6 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.16+8-1.amzn2.1 or higher.
This issue was patched in ALAS2-2025-2936.

References

Information Exposure vulnerability report

high severity

Out-of-Bounds

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.3.0-1.amzn2.0.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake.

When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes.

If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there.

The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:8.3.0-1.amzn2.0.4 or higher.
This issue was patched in ALAS2-2023-2287.

References

Out-of-Bounds vulnerability report

high severity

Use After Free

  • Vulnerable module: expat
  • Introduced through: expat@2.1.0-14.amzn2.0.1
  • Fixed in: 0:2.1.0-15.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto expat@2.1.0-14.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.

Remediation

Upgrade Amazon-Linux:2 expat to version 0:2.1.0-15.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1877.

References

Use After Free vulnerability report

high severity

Out-of-bounds Write

  • Vulnerable module: freetype
  • Introduced through: freetype@2.8-14.amzn2.1
  • Fixed in: 0:2.8-14.amzn2.1.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto freetype@2.8-14.amzn2.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream freetype package and not the freetype package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.

Remediation

Upgrade Amazon-Linux:2 freetype to version 0:2.8-14.amzn2.1.4 or higher.
This issue was patched in ALAS2-2025-2806.

References

Out-of-bounds Write vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.16+8-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 8u451, 8u451-perf, 11.0.27, 17.0.15, 21.0.7, 24.0.1; Oracle GraalVM for JDK: 17.0.15, 21.0.7 and 24.0.1; Oracle GraalVM Enterprise Edition: 21.3.14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in takeover of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.16+8-1.amzn2.1 or higher.
This issue was patched in ALAS2-2025-2936.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.16+8-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 8u451, 8u451-perf, 11.0.27, 17.0.15, 21.0.7, 24.0.1; Oracle GraalVM for JDK: 17.0.15, 21.0.7 and 24.0.1; Oracle GraalVM Enterprise Edition: 21.3.14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in takeover of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.16+8-1.amzn2.1 or higher.
This issue was patched in ALAS2-2025-2936.

References

Heap-based Buffer Overflow vulnerability report

high severity

Out-of-Bounds

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.3.0-1.amzn2.0.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake.

When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes.

If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there.

The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:8.3.0-1.amzn2.0.4 or higher.
This issue was patched in ALAS2-2023-2287.

References

Out-of-Bounds vulnerability report

high severity

Use After Free

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.amzn2.5.5
  • Fixed in: 0:2.9.1-6.amzn2.5.16

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libxml2@2.9.1-6.amzn2.5.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

Remediation

Upgrade Amazon-Linux:2 libxml2 to version 0:2.9.1-6.amzn2.5.16 or higher.
This issue was patched in ALAS2-2025-2794.

References

Use After Free vulnerability report

high severity

Integer Overflow or Wraparound

  • Vulnerable module: glib2
  • Introduced through: glib2@2.56.1-9.amzn2.0.2
  • Fixed in: 0:2.56.1-9.amzn2.0.8

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glib2@2.56.1-9.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glib2 package and not the glib2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

GNOME GLib before 2.65.3 has an integer overflow, that might lead to an out-of-bounds write, in g_option_group_add_entries. NOTE: the vendor's position is "Realistically this is not a security issue. The standard pattern is for callers to provide a static list of option entries in a fixed number of calls to g_option_group_add_entries()." The researcher states that this pattern is undocumented

Remediation

Upgrade Amazon-Linux:2 glib2 to version 0:2.56.1-9.amzn2.0.8 or higher.
This issue was patched in ALAS2-2024-2519.

References

Integer Overflow or Wraparound vulnerability report

high severity
new

Duplicate Operations on Resource

  • Vulnerable module: gnupg2
  • Introduced through: gnupg2@2.0.22-5.amzn2.0.5
  • Fixed in: 0:2.0.22-5.amzn2.0.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto gnupg2@2.0.22-5.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)

Remediation

Upgrade Amazon-Linux:2 gnupg2 to version 0:2.0.22-5.amzn2.0.6 or higher.
This issue was patched in ALAS2-2026-3125.

References

Duplicate Operations on Resource vulnerability report

high severity

Stack-based Buffer Overflow

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.amzn2.5.5
  • Fixed in: 0:2.9.1-6.amzn2.5.16

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libxml2@2.9.1-6.amzn2.5.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047.

Remediation

Upgrade Amazon-Linux:2 libxml2 to version 0:2.9.1-6.amzn2.5.16 or higher.
This issue was patched in ALAS2-2025-2794.

References

Stack-based Buffer Overflow vulnerability report

high severity

Use After Free

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.amzn2.5.5
  • Fixed in: 0:2.9.1-6.amzn2.5.20

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libxml2@2.9.1-6.amzn2.5.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption.

Remediation

Upgrade Amazon-Linux:2 libxml2 to version 0:2.9.1-6.amzn2.5.20 or higher.
This issue was patched in ALAS2-2025-2977.

References

Use After Free vulnerability report

high severity

Out-of-bounds Write

  • Vulnerable module: ncurses
  • Introduced through: ncurses@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.5

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.

Remediation

Upgrade Amazon-Linux:2 ncurses to version 0:6.0-8.20170212.amzn2.1.5 or higher.
This issue was patched in ALAS2-2023-2096.

References

Out-of-bounds Write vulnerability report

high severity

Out-of-bounds Write

  • Vulnerable module: ncurses-base
  • Introduced through: ncurses-base@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.5

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses-base@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses-base package and not the ncurses-base package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.

Remediation

Upgrade Amazon-Linux:2 ncurses-base to version 0:6.0-8.20170212.amzn2.1.5 or higher.
This issue was patched in ALAS2-2023-2096.

References

Out-of-bounds Write vulnerability report

high severity

Out-of-bounds Write

  • Vulnerable module: ncurses-libs
  • Introduced through: ncurses-libs@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.5

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses-libs@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses-libs package and not the ncurses-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.

Remediation

Upgrade Amazon-Linux:2 ncurses-libs to version 0:6.0-8.20170212.amzn2.1.5 or higher.
This issue was patched in ALAS2-2023-2096.

References

Out-of-bounds Write vulnerability report

high severity

XML External Entity (XXE) Injection

  • Vulnerable module: python
  • Introduced through: python@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.7

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python package and not the python package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.

Remediation

Upgrade Amazon-Linux:2 python to version 0:2.7.18-1.amzn2.0.7 or higher.
This issue was patched in ALAS2-2023-2330.

References

XML External Entity (XXE) Injection vulnerability report

high severity

XML External Entity (XXE) Injection

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.7

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python-libs@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python-libs package and not the python-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.

Remediation

Upgrade Amazon-Linux:2 python-libs to version 0:2.7.18-1.amzn2.0.7 or higher.
This issue was patched in ALAS2-2023-2330.

References

XML External Entity (XXE) Injection vulnerability report

high severity

Divide By Zero

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Divide By Zero in GitHub repository vim/vim prior to 9.0.1247.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Divide By Zero vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0742.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0102.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0061.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0101.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1882-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1848.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1882-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2266.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1882-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1331.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1882-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2266.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1882-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1882-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2266.

References

Heap-based Buffer Overflow vulnerability report

high severity

Integer Overflow or Wraparound

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1882-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1846.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1882-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2266.

References

Integer Overflow or Wraparound vulnerability report

high severity

Out-of-bounds Read

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0104.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Out-of-bounds Read vulnerability report

high severity

Out-of-bounds Read

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1144.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Out-of-bounds Read vulnerability report

high severity

Out-of-bounds Write

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0483.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Out-of-bounds Write vulnerability report

high severity

Stack-based Buffer Overflow

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0598.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Stack-based Buffer Overflow vulnerability report

high severity

Stack-based Buffer Overflow

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0577.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Stack-based Buffer Overflow vulnerability report

high severity

Unchecked Return Value

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1145.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Unchecked Return Value vulnerability report

high severity

Unchecked Return Value

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A null pointer dereference issue was discovered in function gui_x11_create_blank_mouse in gui_x11.c in vim 8.1.2269 thru 9.0.0339 allows attackers to cause denial of service or other unspecified impacts.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Unchecked Return Value vulnerability report

high severity

Use After Free

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0389.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0579.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0530.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0614.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0490.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.828-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0789.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.828-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1902.

References

Use After Free vulnerability report

high severity

Divide By Zero

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Divide By Zero in GitHub repository vim/vim prior to 9.0.1247.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Divide By Zero vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0102.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0101.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0061.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0742.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1882-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1882-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2266.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1882-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1848.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1882-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2266.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1882-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1331.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1882-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2266.

References

Heap-based Buffer Overflow vulnerability report

high severity

Integer Overflow or Wraparound

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1882-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1846.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1882-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2266.

References

Integer Overflow or Wraparound vulnerability report

high severity

Out-of-bounds Read

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1144.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Out-of-bounds Read vulnerability report

high severity

Out-of-bounds Read

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0104.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Out-of-bounds Read vulnerability report

high severity

Out-of-bounds Write

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0483.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Out-of-bounds Write vulnerability report

high severity

Stack-based Buffer Overflow

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0577.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Stack-based Buffer Overflow vulnerability report

high severity

Stack-based Buffer Overflow

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0598.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Stack-based Buffer Overflow vulnerability report

high severity

Unchecked Return Value

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1145.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Unchecked Return Value vulnerability report

high severity

Unchecked Return Value

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A null pointer dereference issue was discovered in function gui_x11_create_blank_mouse in gui_x11.c in vim 8.1.2269 thru 9.0.0339 allows attackers to cause denial of service or other unspecified impacts.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Unchecked Return Value vulnerability report

high severity

Use After Free

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0490.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0530.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0579.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0614.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0389.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.828-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0789.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.828-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1902.

References

Use After Free vulnerability report

high severity

Integer Overflow or Wraparound

  • Vulnerable module: glib2
  • Introduced through: glib2@2.56.1-9.amzn2.0.2
  • Fixed in: 0:2.56.1-9.amzn2.0.12

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glib2@2.56.1-9.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glib2 package and not the glib2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.

Remediation

Upgrade Amazon-Linux:2 glib2 to version 0:2.56.1-9.amzn2.0.12 or higher.
This issue was patched in ALAS2-2025-3094.

References

Integer Overflow or Wraparound vulnerability report

high severity

Out-of-bounds Read

  • Vulnerable module: libpng
  • Introduced through: libpng@2:1.5.13-8.amzn2
  • Fixed in: 2:1.5.13-8.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libpng@2:1.5.13-8.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng package and not the libpng package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Integer underflow in the png_check_keyword function in pngwutil.c in libpng 0.90 through 0.99, 1.0.x before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26 allows remote attackers to have unspecified impact via a space character as a keyword in a PNG image, which triggers an out-of-bounds read.

Remediation

Upgrade Amazon-Linux:2 libpng to version 2:1.5.13-8.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1904.

References

Out-of-bounds Read vulnerability report

high severity

Insufficient Verification of Data Authenticity

  • Vulnerable module: ca-certificates
  • Introduced through: ca-certificates@2021.2.50-72.amzn2.0.3
  • Fixed in: 0:2021.2.50-72.amzn2.0.5

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ca-certificates@2021.2.50-72.amzn2.0.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ca-certificates package and not the ca-certificates package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

Remediation

Upgrade Amazon-Linux:2 ca-certificates to version 0:2021.2.50-72.amzn2.0.5 or higher.
This issue was patched in ALAS2-2023-1957.

References

Insufficient Verification of Data Authenticity vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.3.0-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API.

However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:8.3.0-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2271.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Integer Overflow or Wraparound

  • Vulnerable module: expat
  • Introduced through: expat@2.1.0-14.amzn2.0.1
  • Fixed in: 0:2.1.0-15.amzn2.0.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto expat@2.1.0-14.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.

Remediation

Upgrade Amazon-Linux:2 expat to version 0:2.1.0-15.amzn2.0.4 or higher.
This issue was patched in ALAS2-2024-2710.

References

Integer Overflow or Wraparound vulnerability report

high severity

Use After Free

  • Vulnerable module: expat
  • Introduced through: expat@2.1.0-14.amzn2.0.1
  • Fixed in: 0:2.1.0-15.amzn2.0.2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto expat@2.1.0-14.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.

Remediation

Upgrade Amazon-Linux:2 expat to version 0:2.1.0-15.amzn2.0.2 or higher.
This issue was patched in ALAS2-2022-1885.

References

Use After Free vulnerability report

high severity

Out-of-bounds Read

  • Vulnerable module: glib2
  • Introduced through: glib2@2.56.1-9.amzn2.0.2
  • Fixed in: 0:2.56.1-9.amzn2.0.3

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glib2@2.56.1-9.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glib2 package and not the glib2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

GNOME GLib 2.56.1 has an out-of-bounds read vulnerability in g_markup_parse_context_parse() in gmarkup.c, related to utf8_str().

Remediation

Upgrade Amazon-Linux:2 glib2 to version 0:2.56.1-9.amzn2.0.3 or higher.
This issue was patched in ALAS2-2023-2049.

References

Out-of-bounds Read vulnerability report

high severity

Improper Input Validation

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.10+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 17.0.9; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 21.3.8 and 22.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.10+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2024-2415.

References

Improper Input Validation vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.3.0-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API.

However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:8.3.0-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2271.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Resource Exhaustion

  • Vulnerable module: libnghttp2
  • Introduced through: libnghttp2@1.41.0-1.amzn2
  • Fixed in: 0:1.41.0-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libnghttp2@1.41.0-1.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libnghttp2 package and not the libnghttp2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving RST_STREAM immediately followed by the GOAWAY frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the GOAWAY frame skips de-allocation of the bookkeeping structure and pending compressed header. The error return [code path] is taken if connection is already marked for not sending more requests due to GOAWAY frame. The clean-up code is right after the return statement, causing memory leak. Denial of service through memory exhaustion. This vulnerability was patched in versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11.

Remediation

Upgrade Amazon-Linux:2 libnghttp2 to version 0:1.41.0-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2180.

References

Resource Exhaustion vulnerability report

high severity

Resource Exhaustion

  • Vulnerable module: libnghttp2
  • Introduced through: libnghttp2@1.41.0-1.amzn2
  • Fixed in: 0:1.41.0-1.amzn2.0.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libnghttp2@1.41.0-1.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libnghttp2 package and not the libnghttp2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Remediation

Upgrade Amazon-Linux:2 libnghttp2 to version 0:1.41.0-1.amzn2.0.4 or higher.
This issue was patched in ALAS2-2023-2312.

References

Resource Exhaustion vulnerability report

high severity

Out-of-bounds Read

  • Vulnerable module: libssh2
  • Introduced through: libssh2@1.4.3-12.amzn2.2.3
  • Fixed in: 0:1.4.3-12.amzn2.2.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libssh2@1.4.3-12.amzn2.2.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh2 package and not the libssh2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An issue was discovered in function _libssh2_packet_add in libssh2 1.10.0 allows attackers to access out of bounds memory.

Remediation

Upgrade Amazon-Linux:2 libssh2 to version 0:1.4.3-12.amzn2.2.6 or higher.
This issue was patched in ALAS2-2023-2257.

References

Out-of-bounds Read vulnerability report

high severity

Stack-based Buffer Overflow

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.amzn2.5.5
  • Fixed in: 0:2.9.1-6.amzn2.5.18

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libxml2@2.9.1-6.amzn2.5.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.

Remediation

Upgrade Amazon-Linux:2 libxml2 to version 0:2.9.1-6.amzn2.5.18 or higher.
This issue was patched in ALAS2-2025-2893.

References

Stack-based Buffer Overflow vulnerability report

high severity

Access of Resource Using Incompatible Type ('Type Confusion')

  • Vulnerable module: openldap
  • Introduced through: openldap@2.4.44-23.amzn2.0.4
  • Fixed in: 0:2.4.44-25.amzn2.0.5

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openldap@2.4.44-23.amzn2.0.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A flaw was discovered in ldap_X509dn2bv in OpenLDAP before 2.4.57 leading to a slapd crash in the X.509 DN parsing in ad_keystring, resulting in denial of service.

Remediation

Upgrade Amazon-Linux:2 openldap to version 0:2.4.44-25.amzn2.0.5 or higher.
This issue was patched in ALAS2-2023-2033.

References

Access of Resource Using Incompatible Type ('Type Confusion') vulnerability report

high severity

Improper Handling of Length Parameter Inconsistency

  • Vulnerable module: openldap
  • Introduced through: openldap@2.4.44-23.amzn2.0.4
  • Fixed in: 0:2.4.44-25.amzn2.0.5

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openldap@2.4.44-23.amzn2.0.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A flaw was discovered in OpenLDAP before 2.4.57 leading to a memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service.

Remediation

Upgrade Amazon-Linux:2 openldap to version 0:2.4.44-25.amzn2.0.5 or higher.
This issue was patched in ALAS2-2023-2033.

References

Improper Handling of Length Parameter Inconsistency vulnerability report

high severity

Integer Overflow or Wraparound

  • Vulnerable module: openldap
  • Introduced through: openldap@2.4.44-23.amzn2.0.4
  • Fixed in: 0:2.4.44-25.amzn2.0.5

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openldap@2.4.44-23.amzn2.0.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An integer underflow was discovered in OpenLDAP before 2.4.57 leading to slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck).

Remediation

Upgrade Amazon-Linux:2 openldap to version 0:2.4.44-25.amzn2.0.5 or higher.
This issue was patched in ALAS2-2023-2033.

References

Integer Overflow or Wraparound vulnerability report

high severity

Integer Underflow

  • Vulnerable module: openldap
  • Introduced through: openldap@2.4.44-23.amzn2.0.4
  • Fixed in: 0:2.4.44-25.amzn2.0.5

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openldap@2.4.44-23.amzn2.0.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An integer underflow was discovered in OpenLDAP before 2.4.57 leading to a slapd crash in the Certificate List Exact Assertion processing, resulting in denial of service.

Remediation

Upgrade Amazon-Linux:2 openldap to version 0:2.4.44-25.amzn2.0.5 or higher.
This issue was patched in ALAS2-2023-2033.

References

Integer Underflow vulnerability report

high severity

Loop with Unreachable Exit Condition ('Infinite Loop')

  • Vulnerable module: openldap
  • Introduced through: openldap@2.4.44-23.amzn2.0.4
  • Fixed in: 0:2.4.44-25.amzn2.0.5

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openldap@2.4.44-23.amzn2.0.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A flaw was discovered in OpenLDAP before 2.4.57 leading to an infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service.

Remediation

Upgrade Amazon-Linux:2 openldap to version 0:2.4.44-25.amzn2.0.5 or higher.
This issue was patched in ALAS2-2023-2033.

References

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability report

high severity

Out-of-bounds Read

  • Vulnerable module: openldap
  • Introduced through: openldap@2.4.44-23.amzn2.0.4
  • Fixed in: 0:2.4.44-25.amzn2.0.5

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openldap@2.4.44-23.amzn2.0.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A flaw was discovered in OpenLDAP before 2.4.57 leading to a slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read).

Remediation

Upgrade Amazon-Linux:2 openldap to version 0:2.4.44-25.amzn2.0.5 or higher.
This issue was patched in ALAS2-2023-2033.

References

Out-of-bounds Read vulnerability report

high severity

Reachable Assertion

  • Vulnerable module: openldap
  • Introduced through: openldap@2.4.44-23.amzn2.0.4
  • Fixed in: 0:2.4.44-25.amzn2.0.5

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openldap@2.4.44-23.amzn2.0.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A flaw was discovered in OpenLDAP before 2.4.57 leading in an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service.

Remediation

Upgrade Amazon-Linux:2 openldap to version 0:2.4.44-25.amzn2.0.5 or higher.
This issue was patched in ALAS2-2023-2033.

References

Reachable Assertion vulnerability report

high severity

Reachable Assertion

  • Vulnerable module: openldap
  • Introduced through: openldap@2.4.44-23.amzn2.0.4
  • Fixed in: 0:2.4.44-25.amzn2.0.5

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openldap@2.4.44-23.amzn2.0.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A flaw was discovered in OpenLDAP before 2.4.57 leading to an assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service.

Remediation

Upgrade Amazon-Linux:2 openldap to version 0:2.4.44-25.amzn2.0.5 or higher.
This issue was patched in ALAS2-2023-2033.

References

Reachable Assertion vulnerability report

high severity

Release of Invalid Pointer or Reference

  • Vulnerable module: openldap
  • Introduced through: openldap@2.4.44-23.amzn2.0.4
  • Fixed in: 0:2.4.44-25.amzn2.0.5

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openldap@2.4.44-23.amzn2.0.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A flaw was discovered in OpenLDAP before 2.4.57 leading to an invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service.

Remediation

Upgrade Amazon-Linux:2 openldap to version 0:2.4.44-25.amzn2.0.5 or higher.
This issue was patched in ALAS2-2023-2033.

References

Release of Invalid Pointer or Reference vulnerability report

high severity

Resource Exhaustion

  • Vulnerable module: openldap
  • Introduced through: openldap@2.4.44-23.amzn2.0.4
  • Fixed in: 0:2.4.44-25.amzn2.0.5

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openldap@2.4.44-23.amzn2.0.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime.

Remediation

Upgrade Amazon-Linux:2 openldap to version 0:2.4.44-25.amzn2.0.5 or higher.
This issue was patched in ALAS2-2023-2033.

References

Resource Exhaustion vulnerability report

high severity

Use After Free

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.2k-24.amzn2.0.4
  • Fixed in: 1:1.0.2k-24.amzn2.0.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl-libs@1:1.0.2k-24.amzn2.0.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl-libs package and not the openssl-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications.

The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash.

This scenario occurs directly in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.

Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream.

The OpenSSL cms and smime command line applications are similarly affected.

Remediation

Upgrade Amazon-Linux:2 openssl-libs to version 1:1.0.2k-24.amzn2.0.6 or higher.
This issue was patched in ALAS2-2023-1935.

References

Use After Free vulnerability report

high severity

Double Free

  • Vulnerable module: openssl11-libs
  • Introduced through: openssl11-libs@1:1.1.1g-12.amzn2.0.9
  • Fixed in: 1:1.1.1g-12.amzn2.0.11

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl11-libs@1:1.1.1g-12.amzn2.0.9

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl11-libs package and not the openssl11-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack.

The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected.

These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0.

The OpenSSL asn1parse command line application is also impacted by this issue.

Remediation

Upgrade Amazon-Linux:2 openssl11-libs to version 1:1.1.1g-12.amzn2.0.11 or higher.
This issue was patched in ALAS2-2023-1934.

References

Double Free vulnerability report

high severity

Use After Free

  • Vulnerable module: openssl11-libs
  • Introduced through: openssl11-libs@1:1.1.1g-12.amzn2.0.9
  • Fixed in: 1:1.1.1g-12.amzn2.0.11

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl11-libs@1:1.1.1g-12.amzn2.0.9

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl11-libs package and not the openssl11-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications.

The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash.

This scenario occurs directly in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.

Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream.

The OpenSSL cms and smime command line applications are similarly affected.

Remediation

Upgrade Amazon-Linux:2 openssl11-libs to version 1:1.1.1g-12.amzn2.0.11 or higher.
This issue was patched in ALAS2-2023-1934.

References

Use After Free vulnerability report

high severity

Improper Input Validation

  • Vulnerable module: python
  • Introduced through: python@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python package and not the python package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.

Remediation

Upgrade Amazon-Linux:2 python to version 0:2.7.18-1.amzn2.0.6 or higher.
This issue was patched in ALAS2-2023-1980.

References

Improper Input Validation vulnerability report

high severity

Loop with Unreachable Exit Condition ('Infinite Loop')

  • Vulnerable module: python
  • Introduced through: python@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.14

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python package and not the python package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives.

This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1

Remediation

Upgrade Amazon-Linux:2 python to version 0:2.7.18-1.amzn2.0.14 or higher.
This issue was patched in ALAS2-2025-2961.

References

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability report

high severity

Resource Exhaustion

  • Vulnerable module: python
  • Introduced through: python@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python package and not the python package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.

Remediation

Upgrade Amazon-Linux:2 python to version 0:2.7.18-1.amzn2.0.6 or higher.
This issue was patched in ALAS2-2023-1980.

References

Resource Exhaustion vulnerability report

high severity

Improper Input Validation

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python-libs@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python-libs package and not the python-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.

Remediation

Upgrade Amazon-Linux:2 python-libs to version 0:2.7.18-1.amzn2.0.6 or higher.
This issue was patched in ALAS2-2023-1980.

References

Improper Input Validation vulnerability report

high severity

Loop with Unreachable Exit Condition ('Infinite Loop')

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.14

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python-libs@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python-libs package and not the python-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives.

This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1

Remediation

Upgrade Amazon-Linux:2 python-libs to version 0:2.7.18-1.amzn2.0.14 or higher.
This issue was patched in ALAS2-2025-2961.

References

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability report

high severity

Resource Exhaustion

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python-libs@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python-libs package and not the python-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.

Remediation

Upgrade Amazon-Linux:2 python-libs to version 0:2.7.18-1.amzn2.0.6 or higher.
This issue was patched in ALAS2-2023-1980.

References

Resource Exhaustion vulnerability report

high severity

Covert Timing Channel

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.10+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.10+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2024-2415.

References

Covert Timing Channel vulnerability report

high severity

CVE-2024-21147

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.12+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.12+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2024-2600.

References

CVE-2024-21147 vulnerability report

high severity

Improper Enforcement of Message Integrity During Transmission in a Communication Channel

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.7+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.7+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2023-2025.

References

Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability report

high severity

Information Exposure

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.15+6-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE:8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM for JDK:17.0.14, 21.0.6, 24; Oracle GraalVM Enterprise Edition:20.3.17 and 21.3.13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.15+6-1.amzn2.1 or higher.
This issue was patched in ALAS2-2025-2838.

References

Information Exposure vulnerability report

high severity

Integer Overflow or Wraparound

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.10+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.10+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2024-2415.

References

Integer Overflow or Wraparound vulnerability report

high severity

Improper Access Control

  • Vulnerable module: openldap
  • Introduced through: openldap@2.4.44-23.amzn2.0.4
  • Fixed in: 0:2.4.44-25.amzn2.0.5

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openldap@2.4.44-23.amzn2.0.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An issue was discovered in OpenLDAP 2.x before 2.4.48. When using SASL authentication and session encryption, and relying on the SASL security layers in slapd access controls, it is possible to obtain access that would otherwise be denied via a simple bind for any identity covered in those ACLs. After the first SASL bind is completed, the sasl_ssf value is retained for all new non-SASL connections. Depending on the ACL configuration, this can affect different types of operations (searches, modifications, etc.). In other words, a successful authorization step completed by one user affects the authorization requirement for a different user.

Remediation

Upgrade Amazon-Linux:2 openldap to version 0:2.4.44-25.amzn2.0.5 or higher.
This issue was patched in ALAS2-2023-2033.

References

Improper Access Control vulnerability report

high severity

Incorrect Type Conversion or Cast

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.2k-24.amzn2.0.4
  • Fixed in: 1:1.0.2k-24.amzn2.0.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl-libs@1:1.0.2k-24.amzn2.0.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl-libs package and not the openssl-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING.

When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.

Remediation

Upgrade Amazon-Linux:2 openssl-libs to version 1:1.0.2k-24.amzn2.0.6 or higher.
This issue was patched in ALAS2-2023-1935.

References

Incorrect Type Conversion or Cast vulnerability report

high severity

Incorrect Type Conversion or Cast

  • Vulnerable module: openssl11-libs
  • Introduced through: openssl11-libs@1:1.1.1g-12.amzn2.0.9
  • Fixed in: 1:1.1.1g-12.amzn2.0.11

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl11-libs@1:1.1.1g-12.amzn2.0.9

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl11-libs package and not the openssl11-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING.

When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.

Remediation

Upgrade Amazon-Linux:2 openssl11-libs to version 1:1.1.1g-12.amzn2.0.11 or higher.
This issue was patched in ALAS2-2023-1934.

References

Incorrect Type Conversion or Cast vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: nss
  • Introduced through: nss@3.67.0-4.amzn2.0.2
  • Fixed in: 0:3.90.0-2.amzn2.0.2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto nss@3.67.0-4.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream nss package and not the nss package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248999.

Remediation

Upgrade Amazon-Linux:2 nss to version 0:3.90.0-2.amzn2.0.2 or higher.
This issue was patched in ALAS2-2024-2442.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: nss-sysinit
  • Introduced through: nss-sysinit@3.67.0-4.amzn2.0.2
  • Fixed in: 0:3.90.0-2.amzn2.0.2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto nss-sysinit@3.67.0-4.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream nss-sysinit package and not the nss-sysinit package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248999.

Remediation

Upgrade Amazon-Linux:2 nss-sysinit to version 0:3.90.0-2.amzn2.0.2 or higher.
This issue was patched in ALAS2-2024-2442.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: nss-tools
  • Introduced through: nss-tools@3.67.0-4.amzn2.0.2
  • Fixed in: 0:3.90.0-2.amzn2.0.2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto nss-tools@3.67.0-4.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream nss-tools package and not the nss-tools package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248999.

Remediation

Upgrade Amazon-Linux:2 nss-tools to version 0:3.90.0-2.amzn2.0.2 or higher.
This issue was patched in ALAS2-2024-2442.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1189.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Heap-based Buffer Overflow vulnerability report

high severity

Out-of-bounds Write

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1882-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1847.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1882-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2266.

References

Out-of-bounds Write vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1189.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

Heap-based Buffer Overflow vulnerability report

high severity

Out-of-bounds Write

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1882-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1847.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1882-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2266.

References

Out-of-bounds Write vulnerability report

high severity

Use After Free

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.828-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A vulnerability was found in vim and classified as problematic. Affected by this issue is the function qf_update_buffer of the file quickfix.c of the component autocmd Handler. The manipulation leads to use after free. The attack may be launched remotely. Upgrading to version 9.0.0805 is able to address this issue. The name of the patch is d0fab10ed2a86698937e3c3fed2f10bd9bb5e731. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-212324.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.828-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1902.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1882-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.1840.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1882-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2266.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1882-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.1858.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1882-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2266.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1882-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.1857.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1882-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2266.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.828-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A vulnerability was found in vim and classified as problematic. Affected by this issue is the function qf_update_buffer of the file quickfix.c of the component autocmd Handler. The manipulation leads to use after free. The attack may be launched remotely. Upgrading to version 9.0.0805 is able to address this issue. The name of the patch is d0fab10ed2a86698937e3c3fed2f10bd9bb5e731. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-212324.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.828-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1902.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1882-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.1857.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1882-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2266.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1882-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.1858.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1882-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2266.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1882-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.1840.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1882-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2266.

References

Use After Free vulnerability report

high severity

Deserialization of Untrusted Data

  • Vulnerable module: glib2
  • Introduced through: glib2@2.56.1-9.amzn2.0.2
  • Fixed in: 0:2.56.1-9.amzn2.0.9

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glib2@2.56.1-9.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glib2 package and not the glib2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A flaw was found in GLib. GVariant deserialization is vulnerable to a slowdown issue where a crafted GVariant can cause excessive processing, leading to denial of service.

Remediation

Upgrade Amazon-Linux:2 glib2 to version 0:2.56.1-9.amzn2.0.9 or higher.
This issue was patched in ALAS2-2025-2767.

References

Deserialization of Untrusted Data vulnerability report

high severity

Resource Exhaustion

  • Vulnerable module: glib2
  • Introduced through: glib2@2.56.1-9.amzn2.0.2
  • Fixed in: 0:2.56.1-9.amzn2.0.9

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glib2@2.56.1-9.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glib2 package and not the glib2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A flaw was found in GLib. GVariant deserialization is vulnerable to an exponential blowup issue where a crafted GVariant can cause excessive processing, leading to denial of service.

Remediation

Upgrade Amazon-Linux:2 glib2 to version 0:2.56.1-9.amzn2.0.9 or higher.
This issue was patched in ALAS2-2025-2767.

References

Resource Exhaustion vulnerability report

high severity

Deserialization of Untrusted Data

  • Vulnerable module: glib2
  • Introduced through: glib2@2.56.1-9.amzn2.0.2
  • Fixed in: 0:2.56.1-9.amzn2.0.9

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glib2@2.56.1-9.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glib2 package and not the glib2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A flaw was found in GLib. GVariant deserialization fails to validate that the input conforms to the expected format, leading to denial of service.

Remediation

Upgrade Amazon-Linux:2 glib2 to version 0:2.56.1-9.amzn2.0.9 or higher.
This issue was patched in ALAS2-2025-2767.

References

Deserialization of Untrusted Data vulnerability report

high severity

Resource Exhaustion

  • Vulnerable module: glib2
  • Introduced through: glib2@2.56.1-9.amzn2.0.2
  • Fixed in: 0:2.56.1-9.amzn2.0.9

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glib2@2.56.1-9.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glib2 package and not the glib2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.

Remediation

Upgrade Amazon-Linux:2 glib2 to version 0:2.56.1-9.amzn2.0.9 or higher.
This issue was patched in ALAS2-2025-2767.

References

Resource Exhaustion vulnerability report

high severity

Improper Access Control

  • Vulnerable module: libcap
  • Introduced through: libcap@2.54-1.amzn2.0.1
  • Fixed in: 0:2.54-1.amzn2.0.3

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcap@2.54-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcap package and not the libcap package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The PAM module pam_cap.so of libcap configuration supports group names starting with “@”, during actual parsing, configurations not starting with “@” are incorrectly recognized as group names. This may result in nonintended users being granted an inherited capability set, potentially leading to security risks. Attackers can exploit this vulnerability to achieve local privilege escalation on systems where /etc/security/capability.conf is used to configure user inherited privileges by constructing specific usernames.

Remediation

Upgrade Amazon-Linux:2 libcap to version 0:2.54-1.amzn2.0.3 or higher.
This issue was patched in ALAS2-2025-2796.

References

Improper Access Control vulnerability report

high severity

NULL Pointer Dereference

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0404.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

NULL Pointer Dereference vulnerability report

high severity

NULL Pointer Dereference

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0404.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

NULL Pointer Dereference vulnerability report

high severity

Improper Input Validation

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.10+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.10+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2024-2415.

References

Improper Input Validation vulnerability report

high severity

Improper Input Validation

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.10+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.10+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2024-2415.

References

Improper Input Validation vulnerability report

high severity

Improperly Implemented Security Check for Standard

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.7+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.7+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2023-2025.

References

Improperly Implemented Security Check for Standard vulnerability report

high severity

Information Exposure

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.7+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.7+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2023-2025.

References

Information Exposure vulnerability report

high severity

Off-by-one Error

  • Vulnerable module: libtasn1
  • Introduced through: libtasn1@4.10-1.amzn2.0.2
  • Fixed in: 0:4.10-1.amzn2.0.3

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libtasn1@4.10-1.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libtasn1 package and not the libtasn1 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.

Remediation

Upgrade Amazon-Linux:2 libtasn1 to version 0:4.10-1.amzn2.0.3 or higher.
This issue was patched in ALAS2-2023-1908.

References

Off-by-one Error vulnerability report

high severity

Use After Free

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.amzn2.5.5
  • Fixed in: 0:2.9.1-6.amzn2.5.13

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libxml2@2.9.1-6.amzn2.5.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail."

Remediation

Upgrade Amazon-Linux:2 libxml2 to version 0:2.9.1-6.amzn2.5.13 or higher.
This issue was patched in ALAS2-2023-2321.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.amzn2.5.5
  • Fixed in: 0:2.9.1-6.amzn2.5.15

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libxml2@2.9.1-6.amzn2.5.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.

Remediation

Upgrade Amazon-Linux:2 libxml2 to version 0:2.9.1-6.amzn2.5.15 or higher.
This issue was patched in ALAS2-2025-2783.

References

Use After Free vulnerability report

high severity

Information Exposure

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.2k-24.amzn2.0.4
  • Fixed in: 1:1.0.2k-24.amzn2.0.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl-libs@1:1.0.2k-24.amzn2.0.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl-libs package and not the openssl-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.

For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.

Remediation

Upgrade Amazon-Linux:2 openssl-libs to version 1:1.0.2k-24.amzn2.0.6 or higher.
This issue was patched in ALAS2-2023-1935.

References

Information Exposure vulnerability report

high severity

Information Exposure

  • Vulnerable module: openssl11-libs
  • Introduced through: openssl11-libs@1:1.1.1g-12.amzn2.0.9
  • Fixed in: 1:1.1.1g-12.amzn2.0.11

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl11-libs@1:1.1.1g-12.amzn2.0.9

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl11-libs package and not the openssl11-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.

For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.

Remediation

Upgrade Amazon-Linux:2 openssl11-libs to version 1:1.1.1g-12.amzn2.0.11 or higher.
This issue was patched in ALAS2-2023-1934.

References

Information Exposure vulnerability report

high severity

Improper Validation of Array Index

  • Vulnerable module: sqlite
  • Introduced through: sqlite@3.7.17-8.amzn2.1.1
  • Fixed in: 0:3.7.17-8.amzn2.1.2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto sqlite@3.7.17-8.amzn2.1.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite package and not the sqlite package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.

Remediation

Upgrade Amazon-Linux:2 sqlite to version 0:3.7.17-8.amzn2.1.2 or higher.
This issue was patched in ALAS2-2023-1911.

References

Improper Validation of Array Index vulnerability report

high severity
new

Heap-based Buffer Overflow

  • Vulnerable module: glib2
  • Introduced through: glib2@2.56.1-9.amzn2.0.2
  • Fixed in: 0:2.56.1-9.amzn2.0.13

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glib2@2.56.1-9.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glib2 package and not the glib2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.

Remediation

Upgrade Amazon-Linux:2 glib2 to version 0:2.56.1-9.amzn2.0.13 or higher.
This issue was patched in ALAS2-2025-3117.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.15+6-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM for JDK: 17.0.14, 21.0.6, 24; Oracle GraalVM Enterprise Edition: 20.3.17 and 21.3.13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.15+6-1.amzn2.1 or higher.
This issue was patched in ALAS2-2025-2838.

References

Heap-based Buffer Overflow vulnerability report

high severity

Integer Overflow or Wraparound

  • Vulnerable module: freetype
  • Introduced through: freetype@2.8-14.amzn2.1
  • Fixed in: 0:2.8-14.amzn2.1.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto freetype@2.8-14.amzn2.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream freetype package and not the freetype package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

FreeType 2.8.1 has a signed integer overflow in cf2_doFlex in cff/cf2intrp.c.

Remediation

Upgrade Amazon-Linux:2 freetype to version 0:2.8-14.amzn2.1.4 or higher.
This issue was patched in ALAS2-2025-2806.

References

Integer Overflow or Wraparound vulnerability report

high severity

Integer Overflow or Wraparound

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1592-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1592-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2085.

References

Integer Overflow or Wraparound vulnerability report

high severity

NULL Pointer Dereference

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0224.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

NULL Pointer Dereference vulnerability report

high severity

NULL Pointer Dereference

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0552.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

NULL Pointer Dereference vulnerability report

high severity

NULL Pointer Dereference

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1592-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1531.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1592-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2085.

References

NULL Pointer Dereference vulnerability report

high severity

NULL Pointer Dereference

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1882-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

vim 8.2.2348 is affected by null pointer dereference, allows local attackers to cause a denial of service (DoS) via the ex_buffer_all method.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1882-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2266.

References

NULL Pointer Dereference vulnerability report

high severity

Integer Overflow or Wraparound

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1592-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1592-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2085.

References

Integer Overflow or Wraparound vulnerability report

high severity

NULL Pointer Dereference

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0224.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

NULL Pointer Dereference vulnerability report

high severity

NULL Pointer Dereference

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1314-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0552.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1314-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1975.

References

NULL Pointer Dereference vulnerability report

high severity

NULL Pointer Dereference

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1592-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1531.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1592-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2085.

References

NULL Pointer Dereference vulnerability report

high severity

NULL Pointer Dereference

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1882-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

vim 8.2.2348 is affected by null pointer dereference, allows local attackers to cause a denial of service (DoS) via the ex_buffer_all method.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1882-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2266.

References

NULL Pointer Dereference vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: glib2
  • Introduced through: glib2@2.56.1-9.amzn2.0.2
  • Fixed in: 0:2.56.1-9.amzn2.0.9

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glib2@2.56.1-9.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glib2 package and not the glib2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A flaw was found in GLib. The GVariant deserialization code is vulnerable to a heap buffer overflow introduced by the fix for CVE-2023-32665. This bug does not affect any released version of GLib, but does affect GLib distributors who followed the guidance of GLib developers to backport the initial fix for CVE-2023-32665.

Remediation

Upgrade Amazon-Linux:2 glib2 to version 0:2.56.1-9.amzn2.0.9 or higher.
This issue was patched in ALAS2-2025-2767.

References

Heap-based Buffer Overflow vulnerability report

high severity

Improper Input Validation

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.7+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.7+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2023-2025.

References

Improper Input Validation vulnerability report

high severity

Detection of Error Condition Without Action

  • Vulnerable module: libnghttp2
  • Introduced through: libnghttp2@1.41.0-1.amzn2
  • Fixed in: 0:1.41.0-1.amzn2.0.5

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libnghttp2@1.41.0-1.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libnghttp2 package and not the libnghttp2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.

Remediation

Upgrade Amazon-Linux:2 libnghttp2 to version 0:1.41.0-1.amzn2.0.5 or higher.
This issue was patched in ALAS2-2024-2523.

References

Detection of Error Condition Without Action vulnerability report

high severity

Buffer Overflow

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.15+6-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle Java SE: 21.0.6, 24; Oracle GraalVM for JDK: 21.0.6 and 24. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data as well as unauthorized read access to a subset of Oracle Java SE accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.15+6-1.amzn2.1 or higher.
This issue was patched in ALAS2-2025-2838.

References

Buffer Overflow vulnerability report

high severity

CVE-2024-21140

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.12+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.12+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2024-2600.

References

CVE-2024-21140 vulnerability report

high severity

Missing Required Cryptographic Step

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.16+8-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u451, 8u451-perf, 11.0.27, 17.0.15, 21.0.7, 24.0.1; Oracle GraalVM for JDK: 17.0.15, 21.0.7 and 24.0.1; Oracle GraalVM Enterprise Edition: 21.3.14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.16+8-1.amzn2.1 or higher.
This issue was patched in ALAS2-2025-2936.

References

Missing Required Cryptographic Step vulnerability report

high severity

Out-of-bounds Read

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.12+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.12+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2024-2600.

References

Out-of-bounds Read vulnerability report

high severity

Information Exposure Through Log Files

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.10+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.10+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2024-2415.

References

Information Exposure Through Log Files vulnerability report

high severity

CVE-2017-10140

  • Vulnerable module: libdb
  • Introduced through: libdb@5.3.21-24.amzn2.0.3
  • Fixed in: 0:5.3.21-24.amzn2.0.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libdb@5.3.21-24.amzn2.0.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream libdb package and not the libdb package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Postfix before 2.11.10, 3.0.x before 3.0.10, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 might allow local users to gain privileges by leveraging undocumented functionality in Berkeley DB 2.x and later, related to reading settings from DB_CONFIG in the current directory.

Remediation

Upgrade Amazon-Linux:2 libdb to version 0:5.3.21-24.amzn2.0.4 or higher.
This issue was patched in ALAS2-2023-1965.

References

CVE-2017-10140 vulnerability report

high severity

CVE-2017-10140

  • Vulnerable module: libdb-utils
  • Introduced through: libdb-utils@5.3.21-24.amzn2.0.3
  • Fixed in: 0:5.3.21-24.amzn2.0.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libdb-utils@5.3.21-24.amzn2.0.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream libdb-utils package and not the libdb-utils package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Postfix before 2.11.10, 3.0.x before 3.0.10, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 might allow local users to gain privileges by leveraging undocumented functionality in Berkeley DB 2.x and later, related to reading settings from DB_CONFIG in the current directory.

Remediation

Upgrade Amazon-Linux:2 libdb-utils to version 0:5.3.21-24.amzn2.0.4 or higher.
This issue was patched in ALAS2-2023-1965.

References

CVE-2017-10140 vulnerability report

high severity

Link Following

  • Vulnerable module: cpio
  • Introduced through: cpio@2.11-28.amzn2
  • Fixed in: 0:2.12-11.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto cpio@2.11-28.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream cpio package and not the cpio package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive.

Remediation

Upgrade Amazon-Linux:2 cpio to version 0:2.12-11.amzn2.0.1 or higher.
This issue was patched in ALAS2-2024-2489.

References

Link Following vulnerability report

high severity

External Control of File Name or Path

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.3.0-1.amzn2.0.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met.

libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers.

libcurl provides a function call that duplicates en easy handle called curl_easy_duphandle.

If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as none (using the four ASCII letters, no quotes).

Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named none - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:8.3.0-1.amzn2.0.4 or higher.
This issue was patched in ALAS2-2023-2287.

References

External Control of File Name or Path vulnerability report

high severity

CVE-2024-21131

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.12+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.12+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2024-2600.

References

CVE-2024-21131 vulnerability report

high severity

Improper Input Validation

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.7+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.7+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2023-2025.

References

Improper Input Validation vulnerability report

high severity

Improper Neutralization of Null Byte or NUL Character

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.7+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.7+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2023-2025.

References

Improper Neutralization of Null Byte or NUL Character vulnerability report

high severity

Improper Neutralization of Null Byte or NUL Character

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.7+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.7+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2023-2025.

References

Improper Neutralization of Null Byte or NUL Character vulnerability report

high severity

Loop with Unreachable Exit Condition ('Infinite Loop')

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.12+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.12+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2024-2600.

References

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability report

high severity

External Control of File Name or Path

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.3.0-1.amzn2.0.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met.

libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers.

libcurl provides a function call that duplicates en easy handle called curl_easy_duphandle.

If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as none (using the four ASCII letters, no quotes).

Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named none - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:8.3.0-1.amzn2.0.4 or higher.
This issue was patched in ALAS2-2023-2287.

References

External Control of File Name or Path vulnerability report

high severity

CVE-2024-20923

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.10+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u391; Oracle GraalVM Enterprise Edition: 20.3.12 and 21.3.8. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.10+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2024-2415.

References

CVE-2024-20923 vulnerability report

high severity

CVE-2024-20925

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.10+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u391; Oracle GraalVM Enterprise Edition: 20.3.12 and 21.3.8. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.10+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2024-2415.

References

CVE-2024-20925 vulnerability report

high severity

NULL Pointer Dereference

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.amzn2.5.5
  • Fixed in: 0:2.9.1-6.amzn2.5.16

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libxml2@2.9.1-6.amzn2.5.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.

Remediation

Upgrade Amazon-Linux:2 libxml2 to version 0:2.9.1-6.amzn2.5.16 or higher.
This issue was patched in ALAS2-2025-2794.

References

NULL Pointer Dereference vulnerability report

high severity

CVE-2024-20922

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.10+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u391; Oracle GraalVM Enterprise Edition: 20.3.12 and 21.3.8. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 2.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.10+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2024-2415.

References

CVE-2024-20922 vulnerability report

high severity

CVE-2023-32803

  • Vulnerable module: ca-certificates
  • Introduced through: ca-certificates@2021.2.50-72.amzn2.0.3
  • Fixed in: 0:2021.2.50-72.amzn2.0.7

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ca-certificates@2021.2.50-72.amzn2.0.3

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

Upgrade Amazon-Linux:2 ca-certificates to version 0:2021.2.50-72.amzn2.0.7 or higher.
This issue was patched in ALAS2-2023-2203.

References

CVE-2023-32803 vulnerability report

high severity

ALAS2-2023-2316

  • Vulnerable module: yum
  • Introduced through: yum@3.4.3-158.amzn2.0.6
  • Fixed in: 0:3.4.3-158.amzn2.0.7

Detailed paths

  • Introduced through: tomcat@jdk17-corretto yum@3.4.3-158.amzn2.0.6

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

Upgrade Amazon-Linux:2 yum to version 0:3.4.3-158.amzn2.0.7 or higher.
This issue was patched in ALAS2-2023-2316.

ALAS2-2023-2316 vulnerability report

medium severity

Improper Preservation of Permissions

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.79.1-6.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally widen the permissions for the target file, leaving the updated file accessible to more users than intended.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:7.79.1-6.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1875.

References

Improper Preservation of Permissions vulnerability report

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: glib2
  • Introduced through: glib2@2.56.1-9.amzn2.0.2
  • Fixed in: 0:2.56.1-9.amzn2.0.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glib2@2.56.1-9.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glib2 package and not the glib2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

PCRE before 8.38 mishandles the (?(<digits>) and (?(R<digits>) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

Remediation

Upgrade Amazon-Linux:2 glib2 to version 0:2.56.1-9.amzn2.0.6 or higher.
This issue was patched in ALAS2-2023-2107.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Use of Uninitialized Resource

  • Vulnerable module: glib2
  • Introduced through: glib2@2.56.1-9.amzn2.0.2
  • Fixed in: 0:2.56.1-9.amzn2.0.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glib2@2.56.1-9.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glib2 package and not the glib2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

PCRE before 8.38 mishandles the [: and \ substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

Remediation

Upgrade Amazon-Linux:2 glib2 to version 0:2.56.1-9.amzn2.0.6 or higher.
This issue was patched in ALAS2-2023-2107.

References

Use of Uninitialized Resource vulnerability report

medium severity

Improper Preservation of Permissions

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.79.1-6.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally widen the permissions for the target file, leaving the updated file accessible to more users than intended.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:7.79.1-6.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1875.

References

Improper Preservation of Permissions vulnerability report

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: pcre
  • Introduced through: pcre@8.32-17.amzn2.0.2
  • Fixed in: 0:8.32-17.amzn2.0.3

Detailed paths

  • Introduced through: tomcat@jdk17-corretto pcre@8.32-17.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream pcre package and not the pcre package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

PCRE before 8.38 mishandles the (?(<digits>) and (?(R<digits>) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

Remediation

Upgrade Amazon-Linux:2 pcre to version 0:8.32-17.amzn2.0.3 or higher.
This issue was patched in ALAS2-2023-2082.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Use of Uninitialized Resource

  • Vulnerable module: pcre
  • Introduced through: pcre@8.32-17.amzn2.0.2
  • Fixed in: 0:8.32-17.amzn2.0.3

Detailed paths

  • Introduced through: tomcat@jdk17-corretto pcre@8.32-17.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream pcre package and not the pcre package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

PCRE before 8.38 mishandles the [: and \ substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

Remediation

Upgrade Amazon-Linux:2 pcre to version 0:8.32-17.amzn2.0.3 or higher.
This issue was patched in ALAS2-2023-2082.

References

Use of Uninitialized Resource vulnerability report

medium severity

Authentication Bypass by Primary Weakness

  • Vulnerable module: python
  • Introduced through: python@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.12

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python package and not the python package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)

Remediation

Upgrade Amazon-Linux:2 python to version 0:2.7.18-1.amzn2.0.12 or higher.
This issue was patched in ALAS2-2025-2816.

References

Authentication Bypass by Primary Weakness vulnerability report

medium severity

Authentication Bypass by Primary Weakness

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.12

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python-libs@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python-libs package and not the python-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)

Remediation

Upgrade Amazon-Linux:2 python-libs to version 0:2.7.18-1.amzn2.0.12 or higher.
This issue was patched in ALAS2-2025-2816.

References

Authentication Bypass by Primary Weakness vulnerability report

medium severity

Stack-based Buffer Overflow

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2153-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim before 9.0.2142 has a stack-based buffer overflow because did_set_langmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.2153-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2024-2452.

References

Stack-based Buffer Overflow vulnerability report

medium severity

Stack-based Buffer Overflow

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2153-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim before 9.0.2142 has a stack-based buffer overflow because did_set_langmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.2153-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2024-2452.

References

Stack-based Buffer Overflow vulnerability report

medium severity

Double Free

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.amzn2.5.5
  • Fixed in: 0:2.9.1-6.amzn2.5.7

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libxml2@2.9.1-6.amzn2.5.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.

Remediation

Upgrade Amazon-Linux:2 libxml2 to version 0:2.9.1-6.amzn2.5.7 or higher.
This issue was patched in ALAS2-2023-1996.

References

Double Free vulnerability report

medium severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1006-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap based buffer overflow in vim/vim 9.0.0946 and below by allowing an attacker to CTRL-W gf in the expression used in the RHS of the substitute command.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1006-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1912.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Use After Free

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1160-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0882.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1160-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1927.

References

Use After Free vulnerability report

medium severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1006-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap based buffer overflow in vim/vim 9.0.0946 and below by allowing an attacker to CTRL-W gf in the expression used in the RHS of the substitute command.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1006-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1912.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Use After Free

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1160-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0882.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1160-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1927.

References

Use After Free vulnerability report

medium severity

Numeric Truncation Error

  • Vulnerable module: sqlite
  • Introduced through: sqlite@3.7.17-8.amzn2.1.1
  • Fixed in: 0:3.7.17-8.amzn2.1.3

Detailed paths

  • Introduced through: tomcat@jdk17-corretto sqlite@3.7.17-8.amzn2.1.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite package and not the sqlite package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.

Remediation

Upgrade Amazon-Linux:2 sqlite to version 0:3.7.17-8.amzn2.1.3 or higher.
This issue was patched in ALAS2-2025-2973.

References

Numeric Truncation Error vulnerability report

medium severity

Out-of-bounds Write

  • Vulnerable module: freetype
  • Introduced through: freetype@2.8-14.amzn2.1
  • Fixed in: 0:2.8-14.amzn2.1.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto freetype@2.8-14.amzn2.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream freetype package and not the freetype package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the function sfnt_init_face.

Remediation

Upgrade Amazon-Linux:2 freetype to version 0:2.8-14.amzn2.1.1 or higher.
This issue was patched in ALAS2-2023-1909.

References

Out-of-bounds Write vulnerability report

medium severity

Cleartext Transmission of Sensitive Information

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.79.1-7.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:7.79.1-7.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1882.

References

Cleartext Transmission of Sensitive Information vulnerability report

medium severity

Cleartext Transmission of Sensitive Information

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.87.0-2.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) .. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:7.87.0-2.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1924.

References

Cleartext Transmission of Sensitive Information vulnerability report

medium severity

Double Free

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.79.1-7.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:7.79.1-7.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1882.

References

Double Free vulnerability report

medium severity

Loop with Unreachable Exit Condition ('Infinite Loop')

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.87.0-2.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

libcurl provides the CURLOPT_CERTINFO option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:7.87.0-2.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1924.

References

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability report

medium severity

Missing Release of Resource after Effective Lifetime

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.3.0-1.amzn2.0.7

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:8.3.0-1.amzn2.0.7 or higher.
This issue was patched in ALAS2-2024-2526.

References

Missing Release of Resource after Effective Lifetime vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: glibc
  • Introduced through: glibc@2.26-60.amzn2
  • Fixed in: 0:2.26-62.amzn2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glibc@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.

Remediation

Upgrade Amazon-Linux:2 glibc to version 0:2.26-62.amzn2 or higher.
This issue was patched in ALAS2-2022-1869.

References

Improper Input Validation vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.26-60.amzn2
  • Fixed in: 0:2.26-62.amzn2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glibc-common@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc-common package and not the glibc-common package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.

Remediation

Upgrade Amazon-Linux:2 glibc-common to version 0:2.26-62.amzn2 or higher.
This issue was patched in ALAS2-2022-1869.

References

Improper Input Validation vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: glibc-langpack-en
  • Introduced through: glibc-langpack-en@2.26-60.amzn2
  • Fixed in: 0:2.26-62.amzn2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glibc-langpack-en@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc-langpack-en package and not the glibc-langpack-en package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.

Remediation

Upgrade Amazon-Linux:2 glibc-langpack-en to version 0:2.26-62.amzn2 or higher.
This issue was patched in ALAS2-2022-1869.

References

Improper Input Validation vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: glibc-minimal-langpack
  • Introduced through: glibc-minimal-langpack@2.26-60.amzn2
  • Fixed in: 0:2.26-62.amzn2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glibc-minimal-langpack@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc-minimal-langpack package and not the glibc-minimal-langpack package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.

Remediation

Upgrade Amazon-Linux:2 glibc-minimal-langpack to version 0:2.26-62.amzn2 or higher.
This issue was patched in ALAS2-2022-1869.

References

Improper Input Validation vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.8+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.8+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2023-2138.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

CVE-2024-37370

  • Vulnerable module: krb5-libs
  • Introduced through: krb5-libs@1.15.1-37.amzn2.2.4
  • Fixed in: 0:1.15.1-55.amzn2.2.8

Detailed paths

  • Introduced through: tomcat@jdk17-corretto krb5-libs@1.15.1-37.amzn2.2.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5-libs package and not the krb5-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.

Remediation

Upgrade Amazon-Linux:2 krb5-libs to version 0:1.15.1-55.amzn2.2.8 or higher.
This issue was patched in ALAS2-2024-2595.

References

CVE-2024-37370 vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: libcrypt
  • Introduced through: libcrypt@2.26-60.amzn2
  • Fixed in: 0:2.26-62.amzn2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcrypt@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcrypt package and not the libcrypt package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.

Remediation

Upgrade Amazon-Linux:2 libcrypt to version 0:2.26-62.amzn2 or higher.
This issue was patched in ALAS2-2022-1869.

References

Improper Input Validation vulnerability report

medium severity

Cleartext Transmission of Sensitive Information

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.79.1-7.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:7.79.1-7.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1882.

References

Cleartext Transmission of Sensitive Information vulnerability report

medium severity

Cleartext Transmission of Sensitive Information

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.87.0-2.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) .. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:7.87.0-2.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1924.

References

Cleartext Transmission of Sensitive Information vulnerability report

medium severity

Double Free

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.79.1-7.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:7.79.1-7.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1882.

References

Double Free vulnerability report

medium severity

Loop with Unreachable Exit Condition ('Infinite Loop')

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.87.0-2.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

libcurl provides the CURLOPT_CERTINFO option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:7.87.0-2.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1924.

References

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability report

medium severity

Missing Release of Resource after Effective Lifetime

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.3.0-1.amzn2.0.7

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:8.3.0-1.amzn2.0.7 or higher.
This issue was patched in ALAS2-2024-2526.

References

Missing Release of Resource after Effective Lifetime vulnerability report

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.amzn2.5.5
  • Fixed in: 0:2.9.1-6.amzn2.5.7

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libxml2@2.9.1-6.amzn2.5.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault.

Remediation

Upgrade Amazon-Linux:2 libxml2 to version 0:2.9.1-6.amzn2.5.7 or higher.
This issue was patched in ALAS2-2023-1996.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Out-of-bounds Read

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.amzn2.5.5
  • Fixed in: 0:2.9.1-6.amzn2.5.17

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libxml2@2.9.1-6.amzn2.5.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

Remediation

Upgrade Amazon-Linux:2 libxml2 to version 0:2.9.1-6.amzn2.5.17 or higher.
This issue was patched in ALAS2-2025-2860.

References

Out-of-bounds Read vulnerability report

medium severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: python
  • Introduced through: python@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.15

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python package and not the python package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.

Remediation

Upgrade Amazon-Linux:2 python to version 0:2.7.18-1.amzn2.0.15 or higher.
This issue was patched in ALAS2-2026-3128.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.15

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python-libs@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python-libs package and not the python-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.

Remediation

Upgrade Amazon-Linux:2 python-libs to version 0:2.7.18-1.amzn2.0.15 or higher.
This issue was patched in ALAS2-2026-3128.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Off-by-one Error

  • Vulnerable module: glibc
  • Introduced through: glibc@2.26-60.amzn2
  • Fixed in: 0:2.26-61.amzn2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glibc@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.

Remediation

Upgrade Amazon-Linux:2 glibc to version 0:2.26-61.amzn2 or higher.
This issue was patched in ALAS2-2022-1857.

References

Off-by-one Error vulnerability report

medium severity

Off-by-one Error

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.26-60.amzn2
  • Fixed in: 0:2.26-61.amzn2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glibc-common@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc-common package and not the glibc-common package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.

Remediation

Upgrade Amazon-Linux:2 glibc-common to version 0:2.26-61.amzn2 or higher.
This issue was patched in ALAS2-2022-1857.

References

Off-by-one Error vulnerability report

medium severity

Off-by-one Error

  • Vulnerable module: glibc-langpack-en
  • Introduced through: glibc-langpack-en@2.26-60.amzn2
  • Fixed in: 0:2.26-61.amzn2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glibc-langpack-en@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc-langpack-en package and not the glibc-langpack-en package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.

Remediation

Upgrade Amazon-Linux:2 glibc-langpack-en to version 0:2.26-61.amzn2 or higher.
This issue was patched in ALAS2-2022-1857.

References

Off-by-one Error vulnerability report

medium severity

Off-by-one Error

  • Vulnerable module: glibc-minimal-langpack
  • Introduced through: glibc-minimal-langpack@2.26-60.amzn2
  • Fixed in: 0:2.26-61.amzn2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glibc-minimal-langpack@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc-minimal-langpack package and not the glibc-minimal-langpack package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.

Remediation

Upgrade Amazon-Linux:2 glibc-minimal-langpack to version 0:2.26-61.amzn2 or higher.
This issue was patched in ALAS2-2022-1857.

References

Off-by-one Error vulnerability report

medium severity

Off-by-one Error

  • Vulnerable module: libcrypt
  • Introduced through: libcrypt@2.26-60.amzn2
  • Fixed in: 0:2.26-61.amzn2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcrypt@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcrypt package and not the libcrypt package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.

Remediation

Upgrade Amazon-Linux:2 libcrypt to version 0:2.26-61.amzn2 or higher.
This issue was patched in ALAS2-2022-1857.

References

Off-by-one Error vulnerability report

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.amzn2.5.5
  • Fixed in: 0:2.9.1-6.amzn2.5.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libxml2@2.9.1-6.amzn2.5.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.

Remediation

Upgrade Amazon-Linux:2 libxml2 to version 0:2.9.1-6.amzn2.5.6 or higher.
This issue was patched in ALAS2-2022-1848.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Out-of-bounds Read

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1160-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.1143.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1160-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1927.

References

Out-of-bounds Read vulnerability report

medium severity

Out-of-bounds Read

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1160-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.1143.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1160-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1927.

References

Out-of-bounds Read vulnerability report

medium severity

Access of Uninitialized Pointer

  • Vulnerable module: freetype
  • Introduced through: freetype@2.8-14.amzn2.1
  • Fixed in: 0:2.8-14.amzn2.1.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto freetype@2.8-14.amzn2.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream freetype package and not the freetype package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

FreeType commit 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 was discovered to contain a segmentation violation via the function FT_Request_Size.

Remediation

Upgrade Amazon-Linux:2 freetype to version 0:2.8-14.amzn2.1.1 or higher.
This issue was patched in ALAS2-2023-1909.

References

Access of Uninitialized Pointer vulnerability report

medium severity

Access of Uninitialized Pointer

  • Vulnerable module: freetype
  • Introduced through: freetype@2.8-14.amzn2.1
  • Fixed in: 0:2.8-14.amzn2.1.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto freetype@2.8-14.amzn2.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream freetype package and not the freetype package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

FreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovered to contain a segmentation violation via the function FNT_Size_Request.

Remediation

Upgrade Amazon-Linux:2 freetype to version 0:2.8-14.amzn2.1.1 or higher.
This issue was patched in ALAS2-2023-1909.

References

Access of Uninitialized Pointer vulnerability report

medium severity
new

Out-of-bounds Read

  • Vulnerable module: libpng
  • Introduced through: libpng@2:1.5.13-8.amzn2
  • Fixed in: 2:1.5.13-8.amzn2.0.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libpng@2:1.5.13-8.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng package and not the libpng package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.

Remediation

Upgrade Amazon-Linux:2 libpng to version 2:1.5.13-8.amzn2.0.6 or higher.
This issue was patched in ALAS2-2025-3112.

References

Out-of-bounds Read vulnerability report

medium severity

NULL Pointer Dereference

  • Vulnerable module: openldap
  • Introduced through: openldap@2.4.44-23.amzn2.0.4
  • Fixed in: 0:2.4.44-25.amzn2.0.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openldap@2.4.44-23.amzn2.0.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.

Remediation

Upgrade Amazon-Linux:2 openldap to version 0:2.4.44-25.amzn2.0.6 or higher.
This issue was patched in ALAS2-2023-2095.

References

NULL Pointer Dereference vulnerability report

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: cpio
  • Introduced through: cpio@2.11-28.amzn2
  • Fixed in: 0:2.12-11.amzn2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto cpio@2.11-28.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream cpio package and not the cpio package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data.

Remediation

Upgrade Amazon-Linux:2 cpio to version 0:2.12-11.amzn2 or higher.
This issue was patched in ALAS2-2023-1972.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Out-of-Bounds

  • Vulnerable module: zlib
  • Introduced through: zlib@1.2.7-19.amzn2.0.1
  • Fixed in: 0:1.2.7-19.amzn2.0.2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto zlib@1.2.7-19.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream zlib package and not the zlib package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

Remediation

Upgrade Amazon-Linux:2 zlib to version 0:1.2.7-19.amzn2.0.2 or higher.
This issue was patched in ALAS2-2022-1849.

References

Out-of-Bounds vulnerability report

medium severity

CVE-2024-6923

  • Vulnerable module: python
  • Introduced through: python@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.11

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python package and not the python package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

There is a MEDIUM severity vulnerability affecting CPython.

The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.

Remediation

Upgrade Amazon-Linux:2 python to version 0:2.7.18-1.amzn2.0.11 or higher.
This issue was patched in ALAS2-2025-2797.

References

CVE-2024-6923 vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: python
  • Introduced through: python@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.11

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python package and not the python package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The Python standard library functions urllib.parse.urlsplit and urlparse accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.

Remediation

Upgrade Amazon-Linux:2 python to version 0:2.7.18-1.amzn2.0.11 or higher.
This issue was patched in ALAS2-2025-2797.

References

Improper Input Validation vulnerability report

medium severity

CVE-2024-6923

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.11

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python-libs@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python-libs package and not the python-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

There is a MEDIUM severity vulnerability affecting CPython.

The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.

Remediation

Upgrade Amazon-Linux:2 python-libs to version 0:2.7.18-1.amzn2.0.11 or higher.
This issue was patched in ALAS2-2025-2797.

References

CVE-2024-6923 vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.11

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python-libs@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python-libs package and not the python-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The Python standard library functions urllib.parse.urlsplit and urlparse accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.

Remediation

Upgrade Amazon-Linux:2 python-libs to version 0:2.7.18-1.amzn2.0.11 or higher.
This issue was patched in ALAS2-2025-2797.

References

Improper Input Validation vulnerability report

medium severity

OS Command Injection

  • Vulnerable module: libblkid
  • Introduced through: libblkid@2.30.2-2.amzn2.0.7
  • Fixed in: 0:2.30.2-2.amzn2.0.9

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libblkid@2.30.2-2.amzn2.0.7

NVD Description

Note: Versions mentioned in the description apply only to the upstream libblkid package and not the libblkid package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.

Remediation

Upgrade Amazon-Linux:2 libblkid to version 0:2.30.2-2.amzn2.0.9 or higher.
This issue was patched in ALAS2-2022-1878.

References

OS Command Injection vulnerability report

medium severity

OS Command Injection

  • Vulnerable module: libmount
  • Introduced through: libmount@2.30.2-2.amzn2.0.7
  • Fixed in: 0:2.30.2-2.amzn2.0.9

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libmount@2.30.2-2.amzn2.0.7

NVD Description

Note: Versions mentioned in the description apply only to the upstream libmount package and not the libmount package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.

Remediation

Upgrade Amazon-Linux:2 libmount to version 0:2.30.2-2.amzn2.0.9 or higher.
This issue was patched in ALAS2-2022-1878.

References

OS Command Injection vulnerability report

medium severity

OS Command Injection

  • Vulnerable module: libuuid
  • Introduced through: libuuid@2.30.2-2.amzn2.0.7
  • Fixed in: 0:2.30.2-2.amzn2.0.9

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libuuid@2.30.2-2.amzn2.0.7

NVD Description

Note: Versions mentioned in the description apply only to the upstream libuuid package and not the libuuid package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.

Remediation

Upgrade Amazon-Linux:2 libuuid to version 0:2.30.2-2.amzn2.0.9 or higher.
This issue was patched in ALAS2-2022-1878.

References

OS Command Injection vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.79.1-6.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:7.79.1-6.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1875.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.88.0-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:7.88.0-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1986.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Cleartext Transmission of Sensitive Information

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.88.0-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the URL. ThisHSTS mechanism would however surprisingly be ignored by subsequent transferswhen done on the same command line because the state would not be properlycarried on.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:7.88.0-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1986.

References

Cleartext Transmission of Sensitive Information vulnerability report

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: expat
  • Introduced through: expat@2.1.0-14.amzn2.0.1
  • Fixed in: 0:2.1.0-15.amzn2.0.3

Detailed paths

  • Introduced through: tomcat@jdk17-corretto expat@2.1.0-14.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.

Remediation

Upgrade Amazon-Linux:2 expat to version 0:2.1.0-15.amzn2.0.3 or higher.
This issue was patched in ALAS2-2023-2280.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Resource Exhaustion

  • Vulnerable module: expat
  • Introduced through: expat@2.1.0-14.amzn2.0.1
  • Fixed in: 0:2.1.0-15.amzn2.0.3

Detailed paths

  • Introduced through: tomcat@jdk17-corretto expat@2.1.0-14.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.

Remediation

Upgrade Amazon-Linux:2 expat to version 0:2.1.0-15.amzn2.0.3 or higher.
This issue was patched in ALAS2-2023-2280.

References

Resource Exhaustion vulnerability report

medium severity

Access of Uninitialized Pointer

  • Vulnerable module: krb5-libs
  • Introduced through: krb5-libs@1.15.1-37.amzn2.2.4
  • Fixed in: 0:1.15.1-55.amzn2.2.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto krb5-libs@1.15.1-37.amzn2.2.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5-libs package and not the krb5-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.

Remediation

Upgrade Amazon-Linux:2 krb5-libs to version 0:1.15.1-55.amzn2.2.6 or higher.
This issue was patched in ALAS2-2023-2225.

References

Access of Uninitialized Pointer vulnerability report

medium severity

CVE-2024-37371

  • Vulnerable module: krb5-libs
  • Introduced through: krb5-libs@1.15.1-37.amzn2.2.4
  • Fixed in: 0:1.15.1-55.amzn2.2.8

Detailed paths

  • Introduced through: tomcat@jdk17-corretto krb5-libs@1.15.1-37.amzn2.2.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5-libs package and not the krb5-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.

Remediation

Upgrade Amazon-Linux:2 krb5-libs to version 0:1.15.1-55.amzn2.2.8 or higher.
This issue was patched in ALAS2-2024-2595.

References

CVE-2024-37371 vulnerability report

medium severity

Out-of-bounds Write

  • Vulnerable module: krb5-libs
  • Introduced through: krb5-libs@1.15.1-37.amzn2.2.4
  • Fixed in: 0:1.15.1-55.amzn2.2.9

Detailed paths

  • Introduced through: tomcat@jdk17-corretto krb5-libs@1.15.1-37.amzn2.2.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5-libs package and not the krb5-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

In MIT Kerberos 5 (aka krb5) before 1.22 (with incremental propagation), there is an integer overflow for a large update size to resize() in kdb_log.c. An authenticated attacker can cause an out-of-bounds write and kadmind daemon crash.

Remediation

Upgrade Amazon-Linux:2 krb5-libs to version 0:1.15.1-55.amzn2.2.9 or higher.
This issue was patched in ALAS2-2025-2985.

References

Out-of-bounds Write vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.79.1-6.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:7.79.1-6.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1875.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.88.0-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:7.88.0-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1986.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Cleartext Transmission of Sensitive Information

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.88.0-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the URL. ThisHSTS mechanism would however surprisingly be ignored by subsequent transferswhen done on the same command line because the state would not be properlycarried on.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:7.88.0-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1986.

References

Cleartext Transmission of Sensitive Information vulnerability report

medium severity

Out-of-Bounds

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.amzn2.5.5
  • Fixed in: 0:2.9.1-6.amzn2.5.11

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libxml2@2.9.1-6.amzn2.5.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.

Remediation

Upgrade Amazon-Linux:2 libxml2 to version 0:2.9.1-6.amzn2.5.11 or higher.
This issue was patched in ALAS2-2023-2249.

References

Out-of-Bounds vulnerability report

medium severity

Heap-based Buffer Overflow

  • Vulnerable module: ncurses
  • Introduced through: ncurses@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Buffer Overflow vulnerability in postprocess_terminfo function in tinfo/parse_entry.c:997 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

Upgrade Amazon-Linux:2 ncurses to version 0:6.0-8.20170212.amzn2.1.6 or higher.
This issue was patched in ALAS2-2024-2412.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Heap-based Buffer Overflow

  • Vulnerable module: ncurses
  • Introduced through: ncurses@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1100 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

Upgrade Amazon-Linux:2 ncurses to version 0:6.0-8.20170212.amzn2.1.6 or higher.
This issue was patched in ALAS2-2024-2412.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Heap-based Buffer Overflow

  • Vulnerable module: ncurses
  • Introduced through: ncurses@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Buffer Overflow vulnerability in one_one_mapping function in progs/dump_entry.c:1373 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

Upgrade Amazon-Linux:2 ncurses to version 0:6.0-8.20170212.amzn2.1.6 or higher.
This issue was patched in ALAS2-2024-2412.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Heap-based Buffer Overflow

  • Vulnerable module: ncurses
  • Introduced through: ncurses@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Buffer Overflow vulnerability in _nc_find_entry in tinfo/comp_hash.c:70 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

Upgrade Amazon-Linux:2 ncurses to version 0:6.0-8.20170212.amzn2.1.6 or higher.
This issue was patched in ALAS2-2024-2412.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Out-of-bounds Read

  • Vulnerable module: ncurses
  • Introduced through: ncurses@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Buffer Overflow vulnerability in _nc_find_entry function in tinfo/comp_hash.c:66 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

Upgrade Amazon-Linux:2 ncurses to version 0:6.0-8.20170212.amzn2.1.6 or higher.
This issue was patched in ALAS2-2024-2412.

References

Out-of-bounds Read vulnerability report

medium severity

Resource Exhaustion

  • Vulnerable module: ncurses
  • Introduced through: ncurses@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.7

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().

Remediation

Upgrade Amazon-Linux:2 ncurses to version 0:6.0-8.20170212.amzn2.1.7 or higher.
This issue was patched in ALAS2-2024-2380.

References

Resource Exhaustion vulnerability report

medium severity

Stack-based Buffer Overflow

  • Vulnerable module: ncurses
  • Introduced through: ncurses@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1116 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

Upgrade Amazon-Linux:2 ncurses to version 0:6.0-8.20170212.amzn2.1.6 or higher.
This issue was patched in ALAS2-2024-2412.

References

Stack-based Buffer Overflow vulnerability report

medium severity

Heap-based Buffer Overflow

  • Vulnerable module: ncurses-base
  • Introduced through: ncurses-base@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses-base@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses-base package and not the ncurses-base package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1100 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

Upgrade Amazon-Linux:2 ncurses-base to version 0:6.0-8.20170212.amzn2.1.6 or higher.
This issue was patched in ALAS2-2024-2412.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Heap-based Buffer Overflow

  • Vulnerable module: ncurses-base
  • Introduced through: ncurses-base@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses-base@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses-base package and not the ncurses-base package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Buffer Overflow vulnerability in one_one_mapping function in progs/dump_entry.c:1373 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

Upgrade Amazon-Linux:2 ncurses-base to version 0:6.0-8.20170212.amzn2.1.6 or higher.
This issue was patched in ALAS2-2024-2412.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Heap-based Buffer Overflow

  • Vulnerable module: ncurses-base
  • Introduced through: ncurses-base@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses-base@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses-base package and not the ncurses-base package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Buffer Overflow vulnerability in _nc_find_entry in tinfo/comp_hash.c:70 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

Upgrade Amazon-Linux:2 ncurses-base to version 0:6.0-8.20170212.amzn2.1.6 or higher.
This issue was patched in ALAS2-2024-2412.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Heap-based Buffer Overflow

  • Vulnerable module: ncurses-base
  • Introduced through: ncurses-base@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses-base@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses-base package and not the ncurses-base package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Buffer Overflow vulnerability in postprocess_terminfo function in tinfo/parse_entry.c:997 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

Upgrade Amazon-Linux:2 ncurses-base to version 0:6.0-8.20170212.amzn2.1.6 or higher.
This issue was patched in ALAS2-2024-2412.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Out-of-bounds Read

  • Vulnerable module: ncurses-base
  • Introduced through: ncurses-base@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses-base@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses-base package and not the ncurses-base package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Buffer Overflow vulnerability in _nc_find_entry function in tinfo/comp_hash.c:66 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

Upgrade Amazon-Linux:2 ncurses-base to version 0:6.0-8.20170212.amzn2.1.6 or higher.
This issue was patched in ALAS2-2024-2412.

References

Out-of-bounds Read vulnerability report

medium severity

Resource Exhaustion

  • Vulnerable module: ncurses-base
  • Introduced through: ncurses-base@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.7

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses-base@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses-base package and not the ncurses-base package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().

Remediation

Upgrade Amazon-Linux:2 ncurses-base to version 0:6.0-8.20170212.amzn2.1.7 or higher.
This issue was patched in ALAS2-2024-2380.

References

Resource Exhaustion vulnerability report

medium severity

Stack-based Buffer Overflow

  • Vulnerable module: ncurses-base
  • Introduced through: ncurses-base@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses-base@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses-base package and not the ncurses-base package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1116 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

Upgrade Amazon-Linux:2 ncurses-base to version 0:6.0-8.20170212.amzn2.1.6 or higher.
This issue was patched in ALAS2-2024-2412.

References

Stack-based Buffer Overflow vulnerability report

medium severity

Heap-based Buffer Overflow

  • Vulnerable module: ncurses-libs
  • Introduced through: ncurses-libs@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses-libs@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses-libs package and not the ncurses-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Buffer Overflow vulnerability in one_one_mapping function in progs/dump_entry.c:1373 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

Upgrade Amazon-Linux:2 ncurses-libs to version 0:6.0-8.20170212.amzn2.1.6 or higher.
This issue was patched in ALAS2-2024-2412.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Heap-based Buffer Overflow

  • Vulnerable module: ncurses-libs
  • Introduced through: ncurses-libs@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses-libs@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses-libs package and not the ncurses-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1100 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

Upgrade Amazon-Linux:2 ncurses-libs to version 0:6.0-8.20170212.amzn2.1.6 or higher.
This issue was patched in ALAS2-2024-2412.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Heap-based Buffer Overflow

  • Vulnerable module: ncurses-libs
  • Introduced through: ncurses-libs@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses-libs@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses-libs package and not the ncurses-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Buffer Overflow vulnerability in _nc_find_entry in tinfo/comp_hash.c:70 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

Upgrade Amazon-Linux:2 ncurses-libs to version 0:6.0-8.20170212.amzn2.1.6 or higher.
This issue was patched in ALAS2-2024-2412.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Heap-based Buffer Overflow

  • Vulnerable module: ncurses-libs
  • Introduced through: ncurses-libs@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses-libs@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses-libs package and not the ncurses-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Buffer Overflow vulnerability in postprocess_terminfo function in tinfo/parse_entry.c:997 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

Upgrade Amazon-Linux:2 ncurses-libs to version 0:6.0-8.20170212.amzn2.1.6 or higher.
This issue was patched in ALAS2-2024-2412.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Out-of-bounds Read

  • Vulnerable module: ncurses-libs
  • Introduced through: ncurses-libs@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses-libs@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses-libs package and not the ncurses-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Buffer Overflow vulnerability in _nc_find_entry function in tinfo/comp_hash.c:66 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

Upgrade Amazon-Linux:2 ncurses-libs to version 0:6.0-8.20170212.amzn2.1.6 or higher.
This issue was patched in ALAS2-2024-2412.

References

Out-of-bounds Read vulnerability report

medium severity

Resource Exhaustion

  • Vulnerable module: ncurses-libs
  • Introduced through: ncurses-libs@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.7

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses-libs@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses-libs package and not the ncurses-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().

Remediation

Upgrade Amazon-Linux:2 ncurses-libs to version 0:6.0-8.20170212.amzn2.1.7 or higher.
This issue was patched in ALAS2-2024-2380.

References

Resource Exhaustion vulnerability report

medium severity

Stack-based Buffer Overflow

  • Vulnerable module: ncurses-libs
  • Introduced through: ncurses-libs@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses-libs@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses-libs package and not the ncurses-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1116 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

Upgrade Amazon-Linux:2 ncurses-libs to version 0:6.0-8.20170212.amzn2.1.6 or higher.
This issue was patched in ALAS2-2024-2412.

References

Stack-based Buffer Overflow vulnerability report

medium severity

Information Exposure

  • Vulnerable module: nss-softokn
  • Introduced through: nss-softokn@3.67.0-3.amzn2.0.1
  • Fixed in: 0:3.90.0-6.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto nss-softokn@3.67.0-3.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream nss-softokn package and not the nss-softokn package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.

Remediation

Upgrade Amazon-Linux:2 nss-softokn to version 0:3.90.0-6.amzn2.0.1 or higher.
This issue was patched in ALAS2-2024-2419.

References

Information Exposure vulnerability report

medium severity

Information Exposure

  • Vulnerable module: nss-softokn-freebl
  • Introduced through: nss-softokn-freebl@3.67.0-3.amzn2.0.1
  • Fixed in: 0:3.90.0-6.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto nss-softokn-freebl@3.67.0-3.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream nss-softokn-freebl package and not the nss-softokn-freebl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.

Remediation

Upgrade Amazon-Linux:2 nss-softokn-freebl to version 0:3.90.0-6.amzn2.0.1 or higher.
This issue was patched in ALAS2-2024-2419.

References

Information Exposure vulnerability report

medium severity

Resource Exhaustion

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.2k-24.amzn2.0.4
  • Fixed in: 1:1.0.2k-24.amzn2.0.7

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl-libs@1:1.0.2k-24.amzn2.0.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl-libs package and not the openssl-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow.

Impact summary: Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service.

An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers - most of which have no size limit. OBJ_obj2txt() may be used to translate an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL type ASN1_OBJECT) to its canonical numeric text form, which are the sub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by periods.

When one of the sub-identifiers in the OBJECT IDENTIFIER is very large (these are sizes that are seen as absurdly large, taking up tens or hundreds of KiBs), the translation to a decimal number in text may take a very long time. The time complexity is O(n^2) with 'n' being the size of the sub-identifiers in bytes (*).

With OpenSSL 3.0, support to fetch cryptographic algorithms using names / identifiers in string form was introduced. This includes using OBJECT IDENTIFIERs in canonical numeric text form as identifiers for fetching algorithms.

Such OBJECT IDENTIFIERs may be received through the ASN.1 structure AlgorithmIdentifier, which is commonly used in multiple protocols to specify what cryptographic algorithm should be used to sign or verify, encrypt or decrypt, or digest passed data.

Applications that call OBJ_obj2txt() directly with untrusted data are affected, with any version of OpenSSL. If the use is for the mere purpose of display, the severity is considered low.

In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS. It also impacts anything that processes X.509 certificates, including simple things like verifying its signature.

The impact on TLS is relatively low, because all versions of OpenSSL have a 100KiB limit on the peer's certificate chain. Additionally, this only impacts clients, or servers that have explicitly enabled client authentication.

In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.

Remediation

Upgrade Amazon-Linux:2 openssl-libs to version 1:1.0.2k-24.amzn2.0.7 or higher.
This issue was patched in ALAS2-2023-2073.

References

Resource Exhaustion vulnerability report

medium severity

Resource Exhaustion

  • Vulnerable module: openssl11-libs
  • Introduced through: openssl11-libs@1:1.1.1g-12.amzn2.0.9
  • Fixed in: 1:1.1.1g-12.amzn2.0.15

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl11-libs@1:1.1.1g-12.amzn2.0.9

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl11-libs package and not the openssl11-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow.

Impact summary: Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service.

An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers - most of which have no size limit. OBJ_obj2txt() may be used to translate an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL type ASN1_OBJECT) to its canonical numeric text form, which are the sub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by periods.

When one of the sub-identifiers in the OBJECT IDENTIFIER is very large (these are sizes that are seen as absurdly large, taking up tens or hundreds of KiBs), the translation to a decimal number in text may take a very long time. The time complexity is O(n^2) with 'n' being the size of the sub-identifiers in bytes (*).

With OpenSSL 3.0, support to fetch cryptographic algorithms using names / identifiers in string form was introduced. This includes using OBJECT IDENTIFIERs in canonical numeric text form as identifiers for fetching algorithms.

Such OBJECT IDENTIFIERs may be received through the ASN.1 structure AlgorithmIdentifier, which is commonly used in multiple protocols to specify what cryptographic algorithm should be used to sign or verify, encrypt or decrypt, or digest passed data.

Applications that call OBJ_obj2txt() directly with untrusted data are affected, with any version of OpenSSL. If the use is for the mere purpose of display, the severity is considered low.

In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS. It also impacts anything that processes X.509 certificates, including simple things like verifying its signature.

The impact on TLS is relatively low, because all versions of OpenSSL have a 100KiB limit on the peer's certificate chain. Additionally, this only impacts clients, or servers that have explicitly enabled client authentication.

In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.

Remediation

Upgrade Amazon-Linux:2 openssl11-libs to version 1:1.1.1g-12.amzn2.0.15 or higher.
This issue was patched in ALAS2-2023-2097.

References

Resource Exhaustion vulnerability report

medium severity

Multiple Interpretations of UI Input

  • Vulnerable module: python
  • Introduced through: python@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.11

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python package and not the python package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An issue was found in the CPython zipfile module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.

The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.

Remediation

Upgrade Amazon-Linux:2 python to version 0:2.7.18-1.amzn2.0.11 or higher.
This issue was patched in ALAS2-2025-2797.

References

Multiple Interpretations of UI Input vulnerability report

medium severity

Multiple Interpretations of UI Input

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.11

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python-libs@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python-libs package and not the python-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An issue was found in the CPython zipfile module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.

The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.

Remediation

Upgrade Amazon-Linux:2 python-libs to version 0:2.7.18-1.amzn2.0.11 or higher.
This issue was patched in ALAS2-2025-2797.

References

Multiple Interpretations of UI Input vulnerability report

medium severity

Out-of-bounds Read

  • Vulnerable module: ncurses
  • Introduced through: ncurses@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.

Remediation

Upgrade Amazon-Linux:2 ncurses to version 0:6.0-8.20170212.amzn2.1.4 or higher.
This issue was patched in ALAS2-2022-1893.

References

Out-of-bounds Read vulnerability report

medium severity

Out-of-bounds Read

  • Vulnerable module: ncurses-base
  • Introduced through: ncurses-base@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses-base@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses-base package and not the ncurses-base package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.

Remediation

Upgrade Amazon-Linux:2 ncurses-base to version 0:6.0-8.20170212.amzn2.1.4 or higher.
This issue was patched in ALAS2-2022-1893.

References

Out-of-bounds Read vulnerability report

medium severity

Out-of-bounds Read

  • Vulnerable module: ncurses-libs
  • Introduced through: ncurses-libs@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses-libs@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses-libs package and not the ncurses-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.

Remediation

Upgrade Amazon-Linux:2 ncurses-libs to version 0:6.0-8.20170212.amzn2.1.4 or higher.
This issue was patched in ALAS2-2022-1893.

References

Out-of-bounds Read vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.79.1-6.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A malicious server can serve excessive amounts of Set-Cookie: headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on foo.example.com can set cookies that also would match for bar.example.com, making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:7.79.1-6.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1875.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Authentication Bypass by Primary Weakness

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.0.1-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:8.0.1-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2070.

References

Authentication Bypass by Primary Weakness vulnerability report

medium severity

Authentication Bypass by Primary Weakness

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.0.1-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:8.0.1-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2070.

References

Authentication Bypass by Primary Weakness vulnerability report

medium severity

Improper Certificate Validation

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.2.1-1.amzn2.0.2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with xn-- and should not be allowed to pattern match, but the wildcard check in curl could still check for x*, which would match even though the IDN name most likely contained nothing even resembling an x.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:8.2.1-1.amzn2.0.2 or higher.
This issue was patched in ALAS2-2023-2230.

References

Improper Certificate Validation vulnerability report

medium severity

Use After Free

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.87.0-2.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A use after free vulnerability exists in curl <7.87.0. Curl can be asked to tunnel virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:7.87.0-2.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1924.

References

Use After Free vulnerability report

medium severity

Use After Free

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.2.1-1.amzn2.0.2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A use after free vulnerability exists in curl <v8.1.0 in the way libcurl offers a feature to verify an SSH server's public key using a SHA 256 hash. When this check fails, libcurl would free the memory for the fingerprint before it returns an error message containing the (now freed) hash. This flaw risks inserting sensitive heap-based data into the error message that might be shown to users or otherwise get leaked and revealed.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:8.2.1-1.amzn2.0.2 or higher.
This issue was patched in ALAS2-2023-2230.

References

Use After Free vulnerability report

medium severity

Improper Check for Unusual or Exceptional Conditions

  • Vulnerable module: expat
  • Introduced through: expat@2.1.0-14.amzn2.0.1
  • Fixed in: 0:2.1.0-15.amzn2.0.5

Detailed paths

  • Introduced through: tomcat@jdk17-corretto expat@2.1.0-14.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.

Remediation

Upgrade Amazon-Linux:2 expat to version 0:2.1.0-15.amzn2.0.5 or higher.
This issue was patched in ALAS2-2025-2774.

References

Improper Check for Unusual or Exceptional Conditions vulnerability report

medium severity

CVE-2023-22043

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.8+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in Oracle Java SE (component: JavaFX). The supported version that is affected is Oracle Java SE: 8u371. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.8+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2023-2138.

References

CVE-2023-22043 vulnerability report

medium severity

Inappropriate Encoding for Output Context

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.17+10-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and 21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.17+10-1.amzn2.1 or higher.
This issue was patched in ALAS2-2025-3047.

References

Inappropriate Encoding for Output Context vulnerability report

medium severity

Memory Leak

  • Vulnerable module: krb5-libs
  • Introduced through: krb5-libs@1.15.1-37.amzn2.2.4
  • Fixed in: 0:1.15.1-55.amzn2.2.7

Detailed paths

  • Introduced through: tomcat@jdk17-corretto krb5-libs@1.15.1-37.amzn2.2.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5-libs package and not the krb5-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.

Remediation

Upgrade Amazon-Linux:2 krb5-libs to version 0:1.15.1-55.amzn2.2.7 or higher.
This issue was patched in ALAS2-2024-2512.

References

Memory Leak vulnerability report

medium severity

Memory Leak

  • Vulnerable module: krb5-libs
  • Introduced through: krb5-libs@1.15.1-37.amzn2.2.4
  • Fixed in: 0:1.15.1-55.amzn2.2.7

Detailed paths

  • Introduced through: tomcat@jdk17-corretto krb5-libs@1.15.1-37.amzn2.2.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5-libs package and not the krb5-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

Remediation

Upgrade Amazon-Linux:2 krb5-libs to version 0:1.15.1-55.amzn2.2.7 or higher.
This issue was patched in ALAS2-2024-2512.

References

Memory Leak vulnerability report

medium severity

Reversible One-Way Hash

  • Vulnerable module: krb5-libs
  • Introduced through: krb5-libs@1.15.1-37.amzn2.2.4
  • Fixed in: 0:1.15.1-55.amzn2.2.9

Detailed paths

  • Introduced through: tomcat@jdk17-corretto krb5-libs@1.15.1-37.amzn2.2.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5-libs package and not the krb5-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering.

Remediation

Upgrade Amazon-Linux:2 krb5-libs to version 0:1.15.1-55.amzn2.2.9 or higher.
This issue was patched in ALAS2-2025-2985.

References

Reversible One-Way Hash vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.79.1-6.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A malicious server can serve excessive amounts of Set-Cookie: headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on foo.example.com can set cookies that also would match for bar.example.com, making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:7.79.1-6.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1875.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Authentication Bypass by Primary Weakness

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.0.1-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:8.0.1-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2070.

References

Authentication Bypass by Primary Weakness vulnerability report

medium severity

Authentication Bypass by Primary Weakness

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.0.1-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:8.0.1-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2070.

References

Authentication Bypass by Primary Weakness vulnerability report

medium severity

Improper Certificate Validation

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.2.1-1.amzn2.0.2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with xn-- and should not be allowed to pattern match, but the wildcard check in curl could still check for x*, which would match even though the IDN name most likely contained nothing even resembling an x.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:8.2.1-1.amzn2.0.2 or higher.
This issue was patched in ALAS2-2023-2230.

References

Improper Certificate Validation vulnerability report

medium severity

Use After Free

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.87.0-2.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A use after free vulnerability exists in curl <7.87.0. Curl can be asked to tunnel virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:7.87.0-2.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1924.

References

Use After Free vulnerability report

medium severity

Use After Free

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.2.1-1.amzn2.0.2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A use after free vulnerability exists in curl <v8.1.0 in the way libcurl offers a feature to verify an SSH server's public key using a SHA 256 hash. When this check fails, libcurl would free the memory for the fingerprint before it returns an error message containing the (now freed) hash. This flaw risks inserting sensitive heap-based data into the error message that might be shown to users or otherwise get leaked and revealed.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:8.2.1-1.amzn2.0.2 or higher.
This issue was patched in ALAS2-2023-2230.

References

Use After Free vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.amzn2.5.5
  • Fixed in: 0:2.9.1-6.amzn2.5.8

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libxml2@2.9.1-6.amzn2.5.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value).

Remediation

Upgrade Amazon-Linux:2 libxml2 to version 0:2.9.1-6.amzn2.5.8 or higher.
This issue was patched in ALAS2-2023-2021.

References

Improper Input Validation vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.amzn2.5.5
  • Fixed in: 0:2.9.1-6.amzn2.5.8

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libxml2@2.9.1-6.amzn2.5.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c.

Remediation

Upgrade Amazon-Linux:2 libxml2 to version 0:2.9.1-6.amzn2.5.8 or higher.
This issue was patched in ALAS2-2023-2021.

References

Improper Input Validation vulnerability report

medium severity

Information Exposure

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.2k-24.amzn2.0.4
  • Fixed in: 1:1.0.2k-24.amzn2.0.13

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl-libs@1:1.0.2k-24.amzn2.0.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl-libs package and not the openssl-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer.

Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application.

The OpenSSL API function SSL_select_next_proto is typically used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). NPN is older, was never standardised and is deprecated in favour of ALPN. We believe that ALPN is significantly more widely deployed than NPN. The SSL_select_next_proto function accepts a list of protocols from the server and a list of protocols from the client and returns the first protocol that appears in the server list that also appears in the client list. In the case of no overlap between the two lists it returns the first item in the client list. In either case it will signal whether an overlap between the two lists was found. In the case where SSL_select_next_proto is called with a zero length client list it fails to notice this condition and returns the memory immediately following the client list pointer (and reports that there was no overlap in the lists).

This function is typically called from a server side application callback for ALPN or a client side application callback for NPN. In the case of ALPN the list of protocols supplied by the client is guaranteed by libssl to never be zero in length. The list of server protocols comes from the application and should never normally be expected to be of zero length. In this case if the SSL_select_next_proto function has been called as expected (with the list supplied by the client passed in the client/client_len parameters), then the application will not be vulnerable to this issue. If the application has accidentally been configured with a zero length server list, and has accidentally passed that zero length server list in the client/client_len parameters, and has additionally failed to correctly handle a "no overlap" response (which would normally result in a handshake failure in ALPN) then it will be vulnerable to this problem.

In the case of NPN, the protocol permits the client to opportunistically select a protocol when there is no overlap. OpenSSL returns the first client protocol in the no overlap case in support of this. The list of client protocols comes from the application and should never normally be expected to be of zero length. However if the SSL_select_next_proto function is accidentally called with a client_len of 0 then an invalid memory pointer will be returned instead. If the application uses this output as the opportunistic protocol then the loss of confidentiality will occur.

This issue has been assessed as Low severity because applications are most likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not widely used. It also requires an application configuration or programming error. Finally, this issue would not typically be under attacker control making active exploitation unlikely.

The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available.

Remediation

Upgrade Amazon-Linux:2 openssl-libs to version 1:1.0.2k-24.amzn2.0.13 or higher.
This issue was patched in ALAS2-2024-2604.

References

Information Exposure vulnerability report

medium severity

Resource Exhaustion

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.2k-24.amzn2.0.4
  • Fixed in: 1:1.0.2k-24.amzn2.0.7

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl-libs@1:1.0.2k-24.amzn2.0.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl-libs package and not the openssl-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A security vulnerability has been identified in all supported versions

of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems.

Policy processing is disabled by default but can be enabled by passing the -policy&#39; argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies()' function.

Remediation

Upgrade Amazon-Linux:2 openssl-libs to version 1:1.0.2k-24.amzn2.0.7 or higher.
This issue was patched in ALAS2-2023-2073.

References

Resource Exhaustion vulnerability report

medium severity

Information Exposure

  • Vulnerable module: openssl11-libs
  • Introduced through: openssl11-libs@1:1.1.1g-12.amzn2.0.9
  • Fixed in: 1:1.1.1g-12.amzn2.0.23

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl11-libs@1:1.1.1g-12.amzn2.0.9

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl11-libs package and not the openssl11-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer.

Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application.

The OpenSSL API function SSL_select_next_proto is typically used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). NPN is older, was never standardised and is deprecated in favour of ALPN. We believe that ALPN is significantly more widely deployed than NPN. The SSL_select_next_proto function accepts a list of protocols from the server and a list of protocols from the client and returns the first protocol that appears in the server list that also appears in the client list. In the case of no overlap between the two lists it returns the first item in the client list. In either case it will signal whether an overlap between the two lists was found. In the case where SSL_select_next_proto is called with a zero length client list it fails to notice this condition and returns the memory immediately following the client list pointer (and reports that there was no overlap in the lists).

This function is typically called from a server side application callback for ALPN or a client side application callback for NPN. In the case of ALPN the list of protocols supplied by the client is guaranteed by libssl to never be zero in length. The list of server protocols comes from the application and should never normally be expected to be of zero length. In this case if the SSL_select_next_proto function has been called as expected (with the list supplied by the client passed in the client/client_len parameters), then the application will not be vulnerable to this issue. If the application has accidentally been configured with a zero length server list, and has accidentally passed that zero length server list in the client/client_len parameters, and has additionally failed to correctly handle a "no overlap" response (which would normally result in a handshake failure in ALPN) then it will be vulnerable to this problem.

In the case of NPN, the protocol permits the client to opportunistically select a protocol when there is no overlap. OpenSSL returns the first client protocol in the no overlap case in support of this. The list of client protocols comes from the application and should never normally be expected to be of zero length. However if the SSL_select_next_proto function is accidentally called with a client_len of 0 then an invalid memory pointer will be returned instead. If the application uses this output as the opportunistic protocol then the loss of confidentiality will occur.

This issue has been assessed as Low severity because applications are most likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not widely used. It also requires an application configuration or programming error. Finally, this issue would not typically be under attacker control making active exploitation unlikely.

The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available.

Remediation

Upgrade Amazon-Linux:2 openssl11-libs to version 1:1.1.1g-12.amzn2.0.23 or higher.
This issue was patched in ALAS2-2024-2621.

References

Information Exposure vulnerability report

medium severity

Resource Exhaustion

  • Vulnerable module: openssl11-libs
  • Introduced through: openssl11-libs@1:1.1.1g-12.amzn2.0.9
  • Fixed in: 1:1.1.1g-12.amzn2.0.14

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl11-libs@1:1.1.1g-12.amzn2.0.9

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl11-libs package and not the openssl11-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A security vulnerability has been identified in all supported versions

of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems.

Policy processing is disabled by default but can be enabled by passing the -policy&#39; argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies()' function.

Remediation

Upgrade Amazon-Linux:2 openssl11-libs to version 1:1.1.1g-12.amzn2.0.14 or higher.
This issue was patched in ALAS2-2023-2039.

References

Resource Exhaustion vulnerability report

medium severity

Race Condition

  • Vulnerable module: python
  • Introduced through: python@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.8

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python package and not the python package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.

Remediation

Upgrade Amazon-Linux:2 python to version 0:2.7.18-1.amzn2.0.8 or higher.
This issue was patched in ALAS2-2024-2400.

References

Race Condition vulnerability report

medium severity

Race Condition

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.8

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python-libs@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python-libs package and not the python-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.

Remediation

Upgrade Amazon-Linux:2 python-libs to version 0:2.7.18-1.amzn2.0.8 or higher.
This issue was patched in ALAS2-2024-2400.

References

Race Condition vulnerability report

medium severity

Out-of-bounds Read

  • Vulnerable module: libcom_err
  • Introduced through: libcom_err@1.42.9-19.amzn2
  • Fixed in: 0:1.42.9-19.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcom_err@1.42.9-19.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcom_err package and not the libcom_err package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.

Remediation

Upgrade Amazon-Linux:2 libcom_err to version 0:1.42.9-19.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1884.

References

Out-of-bounds Read vulnerability report

medium severity

Double Free

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.0.1-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS data between separate "handles". This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-free or use-after-free.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:8.0.1-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2070.

References

Double Free vulnerability report

medium severity

Double Free

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.0.1-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS data between separate "handles". This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-free or use-after-free.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:8.0.1-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2070.

References

Double Free vulnerability report

medium severity

Return of Wrong Status Code

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.amzn2.5.5
  • Fixed in: 0:2.9.1-6.amzn2.5.17

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libxml2@2.9.1-6.amzn2.5.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.

Remediation

Upgrade Amazon-Linux:2 libxml2 to version 0:2.9.1-6.amzn2.5.17 or higher.
This issue was patched in ALAS2-2025-2860.

References

Return of Wrong Status Code vulnerability report

medium severity

Out-of-bounds Write

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.2k-24.amzn2.0.4
  • Fixed in: 1:1.0.2k-24.amzn2.0.16

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl-libs@1:1.0.2k-24.amzn2.0.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl-libs package and not the openssl-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write.

Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code.

Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy.

The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Amazon-Linux:2 openssl-libs to version 1:1.0.2k-24.amzn2.0.16 or higher.
This issue was patched in ALAS2-2025-3034.

References

Out-of-bounds Write vulnerability report

medium severity

Out-of-bounds Write

  • Vulnerable module: openssl11-libs
  • Introduced through: openssl11-libs@1:1.1.1g-12.amzn2.0.9
  • Fixed in: 1:1.1.1zd-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl11-libs@1:1.1.1g-12.amzn2.0.9

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl11-libs package and not the openssl11-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write.

Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code.

Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy.

The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Amazon-Linux:2 openssl11-libs to version 1:1.1.1zd-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2025-3033.

References

Out-of-bounds Write vulnerability report

medium severity

Use After Free

  • Vulnerable module: openssl11-libs
  • Introduced through: openssl11-libs@1:1.1.1g-12.amzn2.0.9
  • Fixed in: 1:1.1.1g-12.amzn2.0.23

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl11-libs@1:1.1.1g-12.amzn2.0.9

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl11-libs package and not the openssl11-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause memory to be accessed that was previously freed in some situations

Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, only applications that directly call the SSL_free_buffers function are affected by this issue. Applications that do not call this function are not vulnerable. Our investigations indicate that this function is rarely used by applications.

The SSL_free_buffers function is used to free the internal OpenSSL buffer used when processing an incoming record from the network. The call is only expected to succeed if the buffer is not currently in use. However, two scenarios have been identified where the buffer is freed even when still in use.

The first scenario occurs where a record header has been received from the network and processed by OpenSSL, but the full record body has not yet arrived. In this case calling SSL_free_buffers will succeed even though a record has only been partially processed and the buffer is still in use.

The second scenario occurs where a full record containing application data has been received and processed by OpenSSL but the application has only read part of this data. Again a call to SSL_free_buffers will succeed even though the buffer is still in use.

While these scenarios could occur accidentally during normal operation a malicious attacker could attempt to engineer a stituation where this occurs. We are not aware of this issue being actively exploited.

The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

Remediation

Upgrade Amazon-Linux:2 openssl11-libs to version 1:1.1.1g-12.amzn2.0.23 or higher.
This issue was patched in ALAS2-2024-2621.

References

Use After Free vulnerability report

medium severity

Incorrect Permission Assignment for Critical Resource

  • Vulnerable module: apr
  • Introduced through: apr@1.7.0-9.amzn2
  • Fixed in: 0:1.7.2-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto apr@1.7.0-9.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream apr package and not the apr package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data.

This issue does not affect non-Unix platforms, or builds with APR_USE_SHMEM_SHMGET=1 (apr.h)

Users are recommended to upgrade to APR version 1.7.5, which fixes this issue.

Remediation

Upgrade Amazon-Linux:2 apr to version 0:1.7.2-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2024-2721.

References

Incorrect Permission Assignment for Critical Resource vulnerability report

medium severity

Authentication Bypass by Primary Weakness

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.0.1-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the configuration check, allowing them to match easily, potentially leading to the reuse of an inappropriate connection.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:8.0.1-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2070.

References

Authentication Bypass by Primary Weakness vulnerability report

medium severity

Out-of-bounds Write

  • Vulnerable module: elfutils-libelf
  • Introduced through: elfutils-libelf@0.176-2.amzn2
  • Fixed in: 0:0.176-2.amzn2.0.2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto elfutils-libelf@0.176-2.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream elfutils-libelf package and not the elfutils-libelf package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The libcpu component which is used by libasm of elfutils version 0.177 (git 47780c9e), suffers from denial-of-service vulnerability caused by application crashes due to out-of-bounds write (CWE-787), off-by-one error (CWE-193) and reachable assertion (CWE-617); to exploit the vulnerability, the attackers need to craft certain ELF files which bypass the missing bound checks.

Remediation

Upgrade Amazon-Linux:2 elfutils-libelf to version 0:0.176-2.amzn2.0.2 or higher.
This issue was patched in ALAS2-2023-2259.

References

Out-of-bounds Write vulnerability report

medium severity

Information Exposure

  • Vulnerable module: glib2
  • Introduced through: glib2@2.56.1-9.amzn2.0.2
  • Fixed in: 0:2.56.1-9.amzn2.0.5

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glib2@2.56.1-9.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glib2 package and not the glib2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A flaw was found in glib before version 2.63.6. Due to random charset alias, pkexec can leak content from files owned by privileged users to unprivileged ones under the right condition.

Remediation

Upgrade Amazon-Linux:2 glib2 to version 0:2.56.1-9.amzn2.0.5 or higher.
This issue was patched in ALAS2-2023-2058.

References

Information Exposure vulnerability report

medium severity

Incorrect Calculation of Buffer Size

  • Vulnerable module: glibc
  • Introduced through: glibc@2.26-60.amzn2
  • Fixed in: 0:2.26-64.amzn2.0.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glibc@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.

Remediation

Upgrade Amazon-Linux:2 glibc to version 0:2.26-64.amzn2.0.4 or higher.
This issue was patched in ALAS2-2025-2828.

References

Incorrect Calculation of Buffer Size vulnerability report

medium severity

Incorrect Calculation of Buffer Size

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.26-60.amzn2
  • Fixed in: 0:2.26-64.amzn2.0.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glibc-common@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc-common package and not the glibc-common package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.

Remediation

Upgrade Amazon-Linux:2 glibc-common to version 0:2.26-64.amzn2.0.4 or higher.
This issue was patched in ALAS2-2025-2828.

References

Incorrect Calculation of Buffer Size vulnerability report

medium severity

Incorrect Calculation of Buffer Size

  • Vulnerable module: glibc-langpack-en
  • Introduced through: glibc-langpack-en@2.26-60.amzn2
  • Fixed in: 0:2.26-64.amzn2.0.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glibc-langpack-en@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc-langpack-en package and not the glibc-langpack-en package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.

Remediation

Upgrade Amazon-Linux:2 glibc-langpack-en to version 0:2.26-64.amzn2.0.4 or higher.
This issue was patched in ALAS2-2025-2828.

References

Incorrect Calculation of Buffer Size vulnerability report

medium severity

Incorrect Calculation of Buffer Size

  • Vulnerable module: glibc-minimal-langpack
  • Introduced through: glibc-minimal-langpack@2.26-60.amzn2
  • Fixed in: 0:2.26-64.amzn2.0.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glibc-minimal-langpack@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc-minimal-langpack package and not the glibc-minimal-langpack package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.

Remediation

Upgrade Amazon-Linux:2 glibc-minimal-langpack to version 0:2.26-64.amzn2.0.4 or higher.
This issue was patched in ALAS2-2025-2828.

References

Incorrect Calculation of Buffer Size vulnerability report

medium severity

Information Exposure

  • Vulnerable module: libblkid
  • Introduced through: libblkid@2.30.2-2.amzn2.0.7
  • Fixed in: 0:2.30.2-2.amzn2.0.10

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libblkid@2.30.2-2.amzn2.0.7

NVD Description

Note: Versions mentioned in the description apply only to the upstream libblkid package and not the libblkid package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.

Remediation

Upgrade Amazon-Linux:2 libblkid to version 0:2.30.2-2.amzn2.0.10 or higher.
This issue was patched in ALAS2-2022-1901.

References

Information Exposure vulnerability report

medium severity

Incorrect Calculation of Buffer Size

  • Vulnerable module: libcrypt
  • Introduced through: libcrypt@2.26-60.amzn2
  • Fixed in: 0:2.26-64.amzn2.0.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcrypt@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcrypt package and not the libcrypt package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.

Remediation

Upgrade Amazon-Linux:2 libcrypt to version 0:2.26-64.amzn2.0.4 or higher.
This issue was patched in ALAS2-2025-2828.

References

Incorrect Calculation of Buffer Size vulnerability report

medium severity

Authentication Bypass by Primary Weakness

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.0.1-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the configuration check, allowing them to match easily, potentially leading to the reuse of an inappropriate connection.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:8.0.1-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2070.

References

Authentication Bypass by Primary Weakness vulnerability report

medium severity

Information Exposure

  • Vulnerable module: libmount
  • Introduced through: libmount@2.30.2-2.amzn2.0.7
  • Fixed in: 0:2.30.2-2.amzn2.0.10

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libmount@2.30.2-2.amzn2.0.7

NVD Description

Note: Versions mentioned in the description apply only to the upstream libmount package and not the libmount package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.

Remediation

Upgrade Amazon-Linux:2 libmount to version 0:2.30.2-2.amzn2.0.10 or higher.
This issue was patched in ALAS2-2022-1901.

References

Information Exposure vulnerability report

medium severity

Information Exposure

  • Vulnerable module: libuuid
  • Introduced through: libuuid@2.30.2-2.amzn2.0.7
  • Fixed in: 0:2.30.2-2.amzn2.0.10

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libuuid@2.30.2-2.amzn2.0.7

NVD Description

Note: Versions mentioned in the description apply only to the upstream libuuid package and not the libuuid package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.

Remediation

Upgrade Amazon-Linux:2 libuuid to version 0:2.30.2-2.amzn2.0.10 or higher.
This issue was patched in ALAS2-2022-1901.

References

Information Exposure vulnerability report

medium severity

Buffer Over-read

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.amzn2.5.5
  • Fixed in: 0:2.9.1-6.amzn2.5.14

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libxml2@2.9.1-6.amzn2.5.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.

Remediation

Upgrade Amazon-Linux:2 libxml2 to version 0:2.9.1-6.amzn2.5.14 or higher.
This issue was patched in ALAS2-2024-2717.

References

Buffer Over-read vulnerability report

medium severity

Out-of-Bounds

  • Vulnerable module: ncurses
  • Introduced through: ncurses@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.

Remediation

Upgrade Amazon-Linux:2 ncurses to version 0:6.0-8.20170212.amzn2.1.4 or higher.
This issue was patched in ALAS2-2022-1893.

References

Out-of-Bounds vulnerability report

medium severity

Out-of-Bounds

  • Vulnerable module: ncurses-base
  • Introduced through: ncurses-base@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses-base@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses-base package and not the ncurses-base package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.

Remediation

Upgrade Amazon-Linux:2 ncurses-base to version 0:6.0-8.20170212.amzn2.1.4 or higher.
This issue was patched in ALAS2-2022-1893.

References

Out-of-Bounds vulnerability report

medium severity

Out-of-Bounds

  • Vulnerable module: ncurses-libs
  • Introduced through: ncurses-libs@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses-libs@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses-libs package and not the ncurses-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.

Remediation

Upgrade Amazon-Linux:2 ncurses-libs to version 0:6.0-8.20170212.amzn2.1.4 or higher.
This issue was patched in ALAS2-2022-1893.

References

Out-of-Bounds vulnerability report

medium severity

Directory Traversal

  • Vulnerable module: python
  • Introduced through: python@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.12

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python package and not the python package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.

Remediation

Upgrade Amazon-Linux:2 python to version 0:2.7.18-1.amzn2.0.12 or higher.
This issue was patched in ALAS2-2025-2816.

References

Directory Traversal vulnerability report

medium severity

Directory Traversal

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.12

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python-libs@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python-libs package and not the python-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.

Remediation

Upgrade Amazon-Linux:2 python-libs to version 0:2.7.18-1.amzn2.0.12 or higher.
This issue was patched in ALAS2-2025-2816.

References

Directory Traversal vulnerability report

medium severity

NULL Pointer Dereference

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1403-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1392.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1403-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2005.

References

NULL Pointer Dereference vulnerability report

medium severity

NULL Pointer Dereference

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1403-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1402.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1403-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2005.

References

NULL Pointer Dereference vulnerability report

medium severity

NULL Pointer Dereference

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1403-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1392.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1403-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2005.

References

NULL Pointer Dereference vulnerability report

medium severity

NULL Pointer Dereference

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1403-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1402.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1403-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2005.

References

NULL Pointer Dereference vulnerability report

medium severity

Out-of-Bounds

  • Vulnerable module: ncurses
  • Introduced through: ncurses@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.

Remediation

Upgrade Amazon-Linux:2 ncurses to version 0:6.0-8.20170212.amzn2.1.6 or higher.
This issue was patched in ALAS2-2024-2412.

References

Out-of-Bounds vulnerability report

medium severity

Out-of-Bounds

  • Vulnerable module: ncurses-base
  • Introduced through: ncurses-base@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses-base@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses-base package and not the ncurses-base package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.

Remediation

Upgrade Amazon-Linux:2 ncurses-base to version 0:6.0-8.20170212.amzn2.1.6 or higher.
This issue was patched in ALAS2-2024-2412.

References

Out-of-Bounds vulnerability report

medium severity

Out-of-Bounds

  • Vulnerable module: ncurses-libs
  • Introduced through: ncurses-libs@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses-libs@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses-libs package and not the ncurses-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.

Remediation

Upgrade Amazon-Linux:2 ncurses-libs to version 0:6.0-8.20170212.amzn2.1.6 or higher.
This issue was patched in ALAS2-2024-2412.

References

Out-of-Bounds vulnerability report

medium severity

Improper Enforcement of Message Integrity During Transmission in a Communication Channel

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.79.1-6.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:7.79.1-6.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1875.

References

Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability report

medium severity

Information Exposure

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.3.0-1.amzn2.0.5

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains.

It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with domain=co.UK when the URL used a lower case hostname curl.co.uk, even though co.uk is listed as a PSL domain.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:8.3.0-1.amzn2.0.5 or higher.
This issue was patched in ALAS2-2024-2385.

References

Information Exposure vulnerability report

medium severity

Information Exposure

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.3.0-1.amzn2.0.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains.

It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with domain=co.UK when the URL used a lower case hostname curl.co.uk, even though co.uk is listed as a PSL domain.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:8.3.0-1.amzn2.0.6 or higher.
This issue was patched in ALAS2-2024-2531.

References

Information Exposure vulnerability report

medium severity

Misinterpretation of Input

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.3.0-1.amzn2.0.7

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:8.3.0-1.amzn2.0.7 or higher.
This issue was patched in ALAS2-2024-2526.

References

Misinterpretation of Input vulnerability report

medium severity

Stack-based Buffer Overflow

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.79.1-7.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

curl can be told to parse a .netrc file for credentials. If that file endsin a line with 4095 consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes.If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:7.79.1-7.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1882.

References

Stack-based Buffer Overflow vulnerability report

medium severity

NULL Pointer Dereference

  • Vulnerable module: glibc
  • Introduced through: glibc@2.26-60.amzn2
  • Fixed in: 0:2.26-64.amzn2.0.3

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glibc@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

nscd: Null pointer crashes after notfound response

If the Name Service Cache Daemon's (nscd) cache fails to add a not-found netgroup response to the cache, the client request can result in a null pointer dereference. This flaw was introduced in glibc 2.15 when the cache was added to nscd.

This vulnerability is only present in the nscd binary.

Remediation

Upgrade Amazon-Linux:2 glibc to version 0:2.26-64.amzn2.0.3 or higher.
This issue was patched in ALAS2-2024-2718.

References

NULL Pointer Dereference vulnerability report

medium severity

NULL Pointer Dereference

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.26-60.amzn2
  • Fixed in: 0:2.26-64.amzn2.0.3

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glibc-common@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc-common package and not the glibc-common package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

nscd: Null pointer crashes after notfound response

If the Name Service Cache Daemon's (nscd) cache fails to add a not-found netgroup response to the cache, the client request can result in a null pointer dereference. This flaw was introduced in glibc 2.15 when the cache was added to nscd.

This vulnerability is only present in the nscd binary.

Remediation

Upgrade Amazon-Linux:2 glibc-common to version 0:2.26-64.amzn2.0.3 or higher.
This issue was patched in ALAS2-2024-2718.

References

NULL Pointer Dereference vulnerability report

medium severity

NULL Pointer Dereference

  • Vulnerable module: glibc-langpack-en
  • Introduced through: glibc-langpack-en@2.26-60.amzn2
  • Fixed in: 0:2.26-64.amzn2.0.3

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glibc-langpack-en@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc-langpack-en package and not the glibc-langpack-en package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

nscd: Null pointer crashes after notfound response

If the Name Service Cache Daemon's (nscd) cache fails to add a not-found netgroup response to the cache, the client request can result in a null pointer dereference. This flaw was introduced in glibc 2.15 when the cache was added to nscd.

This vulnerability is only present in the nscd binary.

Remediation

Upgrade Amazon-Linux:2 glibc-langpack-en to version 0:2.26-64.amzn2.0.3 or higher.
This issue was patched in ALAS2-2024-2718.

References

NULL Pointer Dereference vulnerability report

medium severity

NULL Pointer Dereference

  • Vulnerable module: glibc-minimal-langpack
  • Introduced through: glibc-minimal-langpack@2.26-60.amzn2
  • Fixed in: 0:2.26-64.amzn2.0.3

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glibc-minimal-langpack@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc-minimal-langpack package and not the glibc-minimal-langpack package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

nscd: Null pointer crashes after notfound response

If the Name Service Cache Daemon's (nscd) cache fails to add a not-found netgroup response to the cache, the client request can result in a null pointer dereference. This flaw was introduced in glibc 2.15 when the cache was added to nscd.

This vulnerability is only present in the nscd binary.

Remediation

Upgrade Amazon-Linux:2 glibc-minimal-langpack to version 0:2.26-64.amzn2.0.3 or higher.
This issue was patched in ALAS2-2024-2718.

References

NULL Pointer Dereference vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.5+8-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.5+8-1.amzn2.1 or higher.
This issue was patched in ALAS2-2022-1866.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Buffer Overflow

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.5+8-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JGSS). Supported versions that are affected are Oracle Java SE: 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.5+8-1.amzn2.1 or higher.
This issue was patched in ALAS2-2022-1866.

References

Buffer Overflow vulnerability report

medium severity

Deserialization of Untrusted Data

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.6+10-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf; Oracle GraalVM Enterprise Edition: 20.3.8 and 21.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.6+10-1.amzn2.1 or higher.
This issue was patched in ALAS2-2023-1919.

References

Deserialization of Untrusted Data vulnerability report

medium severity

Improper Certificate Validation

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.9+8-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf, 11.0.20, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: 20.3.11, 21.3.7 and 22.3.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.9+8-1.amzn2.1 or higher.
This issue was patched in ALAS2-2023-2314.

References

Improper Certificate Validation vulnerability report

medium severity

Resource Exhaustion

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.5+8-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.5+8-1.amzn2.1 or higher.
This issue was patched in ALAS2-2022-1866.

References

Resource Exhaustion vulnerability report

medium severity

Resource Exhaustion

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.6+10-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via DTLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.6+10-1.amzn2.1 or higher.
This issue was patched in ALAS2-2023-1919.

References

Resource Exhaustion vulnerability report

medium severity

NULL Pointer Dereference

  • Vulnerable module: libcrypt
  • Introduced through: libcrypt@2.26-60.amzn2
  • Fixed in: 0:2.26-64.amzn2.0.3

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcrypt@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcrypt package and not the libcrypt package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

nscd: Null pointer crashes after notfound response

If the Name Service Cache Daemon's (nscd) cache fails to add a not-found netgroup response to the cache, the client request can result in a null pointer dereference. This flaw was introduced in glibc 2.15 when the cache was added to nscd.

This vulnerability is only present in the nscd binary.

Remediation

Upgrade Amazon-Linux:2 libcrypt to version 0:2.26-64.amzn2.0.3 or higher.
This issue was patched in ALAS2-2024-2718.

References

NULL Pointer Dereference vulnerability report

medium severity

Improper Enforcement of Message Integrity During Transmission in a Communication Channel

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.79.1-6.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:7.79.1-6.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1875.

References

Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability report

medium severity

Information Exposure

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.3.0-1.amzn2.0.5

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains.

It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with domain=co.UK when the URL used a lower case hostname curl.co.uk, even though co.uk is listed as a PSL domain.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:8.3.0-1.amzn2.0.5 or higher.
This issue was patched in ALAS2-2024-2385.

References

Information Exposure vulnerability report

medium severity

Information Exposure

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.3.0-1.amzn2.0.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains.

It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with domain=co.UK when the URL used a lower case hostname curl.co.uk, even though co.uk is listed as a PSL domain.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:8.3.0-1.amzn2.0.6 or higher.
This issue was patched in ALAS2-2024-2531.

References

Information Exposure vulnerability report

medium severity

Misinterpretation of Input

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.3.0-1.amzn2.0.7

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:8.3.0-1.amzn2.0.7 or higher.
This issue was patched in ALAS2-2024-2526.

References

Misinterpretation of Input vulnerability report

medium severity

Stack-based Buffer Overflow

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.79.1-7.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

curl can be told to parse a .netrc file for credentials. If that file endsin a line with 4095 consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes.If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:7.79.1-7.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1882.

References

Stack-based Buffer Overflow vulnerability report

medium severity

Algorithmic Complexity

  • Vulnerable module: libtasn1
  • Introduced through: libtasn1@4.10-1.amzn2.0.2
  • Fixed in: 0:4.10-1.amzn2.0.7

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libtasn1@4.10-1.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libtasn1 package and not the libtasn1 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A flaw in libtasn1 causes inefficient handling of specific certificate data. When processing a large number of elements in a certificate, libtasn1 takes much longer than expected, which can slow down or even crash the system. This flaw allows an attacker to send a specially crafted certificate, causing a denial of service attack.

Remediation

Upgrade Amazon-Linux:2 libtasn1 to version 0:4.10-1.amzn2.0.7 or higher.
This issue was patched in ALAS2-2025-2886.

References

Algorithmic Complexity vulnerability report

medium severity

Out-of-Bounds

  • Vulnerable module: ncurses
  • Introduced through: ncurses@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.

Remediation

Upgrade Amazon-Linux:2 ncurses to version 0:6.0-8.20170212.amzn2.1.6 or higher.
This issue was patched in ALAS2-2024-2412.

References

Out-of-Bounds vulnerability report

medium severity

Out-of-Bounds

  • Vulnerable module: ncurses-base
  • Introduced through: ncurses-base@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses-base@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses-base package and not the ncurses-base package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.

Remediation

Upgrade Amazon-Linux:2 ncurses-base to version 0:6.0-8.20170212.amzn2.1.6 or higher.
This issue was patched in ALAS2-2024-2412.

References

Out-of-Bounds vulnerability report

medium severity

Out-of-Bounds

  • Vulnerable module: ncurses-libs
  • Introduced through: ncurses-libs@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses-libs@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses-libs package and not the ncurses-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.

Remediation

Upgrade Amazon-Linux:2 ncurses-libs to version 0:6.0-8.20170212.amzn2.1.6 or higher.
This issue was patched in ALAS2-2024-2412.

References

Out-of-Bounds vulnerability report

medium severity

Excessive Iteration

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.2k-24.amzn2.0.4
  • Fixed in: 1:1.0.2k-24.amzn2.0.9

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl-libs@1:1.0.2k-24.amzn2.0.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl-libs package and not the openssl-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Issue summary: Checking excessively long DH keys or parameters may be very slow.

Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.

The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p.

An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack.

The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check().

Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the "-check" option.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

Remediation

Upgrade Amazon-Linux:2 openssl-libs to version 1:1.0.2k-24.amzn2.0.9 or higher.
This issue was patched in ALAS2-2023-2246.

References

Excessive Iteration vulnerability report

medium severity

Improper Certificate Validation

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.2k-24.amzn2.0.4
  • Fixed in: 1:1.0.2k-24.amzn2.0.7

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl-libs@1:1.0.2k-24.amzn2.0.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl-libs package and not the openssl-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks.

Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether.

Policy processing is disabled by default but can be enabled by passing the -policy&#39; argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies()' function.

Remediation

Upgrade Amazon-Linux:2 openssl-libs to version 1:1.0.2k-24.amzn2.0.7 or higher.
This issue was patched in ALAS2-2023-2073.

References

Improper Certificate Validation vulnerability report

medium severity

Improper Certificate Validation

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.2k-24.amzn2.0.4
  • Fixed in: 1:1.0.2k-24.amzn2.0.7

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl-libs@1:1.0.2k-24.amzn2.0.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl-libs package and not the openssl-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification.

As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function.

Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument.

Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.

Remediation

Upgrade Amazon-Linux:2 openssl-libs to version 1:1.0.2k-24.amzn2.0.7 or higher.
This issue was patched in ALAS2-2023-2073.

References

Improper Certificate Validation vulnerability report

medium severity

Missing Required Cryptographic Step

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.2k-24.amzn2.0.4
  • Fixed in: 1:1.0.2k-24.amzn2.0.11

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl-libs@1:1.0.2k-24.amzn2.0.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl-libs package and not the openssl-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow.

Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.

While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters.

Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q.

An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack.

DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().

Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

Remediation

Upgrade Amazon-Linux:2 openssl-libs to version 1:1.0.2k-24.amzn2.0.11 or higher.
This issue was patched in ALAS2-2023-2350.

References

Missing Required Cryptographic Step vulnerability report

medium severity

Resource Exhaustion

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.2k-24.amzn2.0.4
  • Fixed in: 1:1.0.2k-24.amzn2.0.9

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl-libs@1:1.0.2k-24.amzn2.0.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl-libs package and not the openssl-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Issue summary: Checking excessively long DH keys or parameters may be very slow.

Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.

The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ('p' parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length.

However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large.

An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulernable to a Denial of Service attack.

The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check().

Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the '-check' option.

The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

Remediation

Upgrade Amazon-Linux:2 openssl-libs to version 1:1.0.2k-24.amzn2.0.9 or higher.
This issue was patched in ALAS2-2023-2246.

References

Resource Exhaustion vulnerability report

medium severity

Excessive Iteration

  • Vulnerable module: openssl11-libs
  • Introduced through: openssl11-libs@1:1.1.1g-12.amzn2.0.9
  • Fixed in: 1:1.1.1g-12.amzn2.0.16

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl11-libs@1:1.1.1g-12.amzn2.0.9

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl11-libs package and not the openssl11-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Issue summary: Checking excessively long DH keys or parameters may be very slow.

Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.

The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p.

An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack.

The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check().

Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the "-check" option.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

Remediation

Upgrade Amazon-Linux:2 openssl11-libs to version 1:1.1.1g-12.amzn2.0.16 or higher.
This issue was patched in ALAS2-2023-2226.

References

Excessive Iteration vulnerability report

medium severity

Improper Certificate Validation

  • Vulnerable module: openssl11-libs
  • Introduced through: openssl11-libs@1:1.1.1g-12.amzn2.0.9
  • Fixed in: 1:1.1.1g-12.amzn2.0.14

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl11-libs@1:1.1.1g-12.amzn2.0.9

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl11-libs package and not the openssl11-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification.

As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function.

Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument.

Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.

Remediation

Upgrade Amazon-Linux:2 openssl11-libs to version 1:1.1.1g-12.amzn2.0.14 or higher.
This issue was patched in ALAS2-2023-2039.

References

Improper Certificate Validation vulnerability report

medium severity

Improper Certificate Validation

  • Vulnerable module: openssl11-libs
  • Introduced through: openssl11-libs@1:1.1.1g-12.amzn2.0.9
  • Fixed in: 1:1.1.1g-12.amzn2.0.14

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl11-libs@1:1.1.1g-12.amzn2.0.9

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl11-libs package and not the openssl11-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks.

Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether.

Policy processing is disabled by default but can be enabled by passing the -policy&#39; argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies()' function.

Remediation

Upgrade Amazon-Linux:2 openssl11-libs to version 1:1.1.1g-12.amzn2.0.14 or higher.
This issue was patched in ALAS2-2023-2039.

References

Improper Certificate Validation vulnerability report

medium severity

Missing Required Cryptographic Step

  • Vulnerable module: openssl11-libs
  • Introduced through: openssl11-libs@1:1.1.1g-12.amzn2.0.9
  • Fixed in: 1:1.1.1g-12.amzn2.0.13

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl11-libs@1:1.1.1g-12.amzn2.0.9

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl11-libs package and not the openssl11-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).

Remediation

Upgrade Amazon-Linux:2 openssl11-libs to version 1:1.1.1g-12.amzn2.0.13 or higher.
This issue was patched in ALAS2-2023-1974.

References

Missing Required Cryptographic Step vulnerability report

medium severity

Missing Required Cryptographic Step

  • Vulnerable module: openssl11-libs
  • Introduced through: openssl11-libs@1:1.1.1g-12.amzn2.0.9
  • Fixed in: 1:1.1.1g-12.amzn2.0.19

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl11-libs@1:1.1.1g-12.amzn2.0.9

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl11-libs package and not the openssl11-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow.

Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.

While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters.

Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q.

An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack.

DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().

Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

Remediation

Upgrade Amazon-Linux:2 openssl11-libs to version 1:1.1.1g-12.amzn2.0.19 or higher.
This issue was patched in ALAS2-2023-2351.

References

Missing Required Cryptographic Step vulnerability report

medium severity

Resource Exhaustion

  • Vulnerable module: openssl11-libs
  • Introduced through: openssl11-libs@1:1.1.1g-12.amzn2.0.9
  • Fixed in: 1:1.1.1g-12.amzn2.0.16

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl11-libs@1:1.1.1g-12.amzn2.0.9

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl11-libs package and not the openssl11-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Issue summary: Checking excessively long DH keys or parameters may be very slow.

Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.

The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ('p' parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length.

However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large.

An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulernable to a Denial of Service attack.

The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check().

Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the '-check' option.

The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

Remediation

Upgrade Amazon-Linux:2 openssl11-libs to version 1:1.1.1g-12.amzn2.0.16 or higher.
This issue was patched in ALAS2-2023-2226.

References

Resource Exhaustion vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: python
  • Introduced through: python@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.9

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python package and not the python package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.

Remediation

Upgrade Amazon-Linux:2 python to version 0:2.7.18-1.amzn2.0.9 or higher.
This issue was patched in ALAS2-2024-2686.

References

Improper Input Validation vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.9

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python-libs@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python-libs package and not the python-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.

Remediation

Upgrade Amazon-Linux:2 python-libs to version 0:2.7.18-1.amzn2.0.9 or higher.
This issue was patched in ALAS2-2024-2686.

References

Improper Input Validation vulnerability report

medium severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1403-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1376.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1403-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2005.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1882-1.amzn2.0.2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1882-1.amzn2.0.2 or higher.
This issue was patched in ALAS2-2023-2288.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Incorrect Calculation of Buffer Size

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1403-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Incorrect Calculation of Buffer Size in GitHub repository vim/vim prior to 9.0.1378.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1403-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2005.

References

Incorrect Calculation of Buffer Size vulnerability report

medium severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1403-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1376.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1403-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2005.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1882-1.amzn2.0.2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1882-1.amzn2.0.2 or higher.
This issue was patched in ALAS2-2023-2288.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Incorrect Calculation of Buffer Size

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1403-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Incorrect Calculation of Buffer Size in GitHub repository vim/vim prior to 9.0.1378.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1403-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2005.

References

Incorrect Calculation of Buffer Size vulnerability report

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: zlib
  • Introduced through: zlib@1.2.7-19.amzn2.0.1
  • Fixed in: 0:1.2.7-19.amzn2.0.3

Detailed paths

  • Introduced through: tomcat@jdk17-corretto zlib@1.2.7-19.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream zlib package and not the zlib package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.

Remediation

Upgrade Amazon-Linux:2 zlib to version 0:1.2.7-19.amzn2.0.3 or higher.
This issue was patched in ALAS2-2023-2320.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Small Space of Random Values

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.8+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.8+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2023-2138.

References

Small Space of Random Values vulnerability report

medium severity

Out-of-bounds Read

  • Vulnerable module: libssh2
  • Introduced through: libssh2@1.4.3-12.amzn2.2.3
  • Fixed in: 0:1.4.3-12.amzn2.2.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libssh2@1.4.3-12.amzn2.2.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh2 package and not the libssh2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the _libssh2_packet_require and _libssh2_packet_requirev functions. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.

Remediation

Upgrade Amazon-Linux:2 libssh2 to version 0:1.4.3-12.amzn2.2.4 or higher.
This issue was patched in ALAS2-2023-2046.

References

Out-of-bounds Read vulnerability report

medium severity

Out-of-bounds Read

  • Vulnerable module: libssh2
  • Introduced through: libssh2@1.4.3-12.amzn2.2.3
  • Fixed in: 0:1.4.3-12.amzn2.2.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libssh2@1.4.3-12.amzn2.2.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh2 package and not the libssh2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty payloads are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.

Remediation

Upgrade Amazon-Linux:2 libssh2 to version 0:1.4.3-12.amzn2.2.4 or higher.
This issue was patched in ALAS2-2023-2046.

References

Out-of-bounds Read vulnerability report

medium severity

Expected Behavior Violation

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.79.1-7.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:7.79.1-7.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1882.

References

Expected Behavior Violation vulnerability report

medium severity

CVE-2025-53066

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.17+10-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and 21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.17+10-1.amzn2.1 or higher.
This issue was patched in ALAS2-2025-3047.

References

CVE-2025-53066 vulnerability report

medium severity

Signed to Unsigned Conversion Error

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.13+11-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.13+11-1.amzn2.1 or higher.
This issue was patched in ALAS2-2024-2683.

References

Signed to Unsigned Conversion Error vulnerability report

medium severity

Signed to Unsigned Conversion Error

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.14+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM Enterprise Edition: 20.3.16 and 21.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.14+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2025-2740.

References

Signed to Unsigned Conversion Error vulnerability report

medium severity

Expected Behavior Violation

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.79.1-7.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:7.79.1-7.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1882.

References

Expected Behavior Violation vulnerability report

medium severity

Resource Exhaustion

  • Vulnerable module: python
  • Introduced through: python@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.11

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python package and not the python package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module.

When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.

Remediation

Upgrade Amazon-Linux:2 python to version 0:2.7.18-1.amzn2.0.11 or higher.
This issue was patched in ALAS2-2025-2797.

References

Resource Exhaustion vulnerability report

medium severity

Resource Exhaustion

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.11

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python-libs@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python-libs package and not the python-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module.

When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.

Remediation

Upgrade Amazon-Linux:2 python-libs to version 0:2.7.18-1.amzn2.0.11 or higher.
This issue was patched in ALAS2-2025-2797.

References

Resource Exhaustion vulnerability report

medium severity

Covert Timing Channel

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.2k-24.amzn2.0.4
  • Fixed in: 1:1.0.2k-24.amzn2.0.15

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl-libs@1:1.0.2k-24.amzn2.0.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl-libs package and not the openssl-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Issue summary: A timing side-channel which could potentially allow recovering the private key exists in the ECDSA signature computation.

Impact summary: A timing side-channel in ECDSA signature computations could allow recovering the private key by an attacker. However, measuring the timing would require either local access to the signing application or a very fast network connection with low latency.

There is a timing signal of around 300 nanoseconds when the top word of the inverted ECDSA nonce value is zero. This can happen with significant probability only for some of the supported elliptic curves. In particular the NIST P-521 curve is affected. To be able to measure this leak, the attacker process must either be located in the same physical computer or must have a very fast network connection with low latency. For that reason the severity of this vulnerability is Low.

The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.

Remediation

Upgrade Amazon-Linux:2 openssl-libs to version 1:1.0.2k-24.amzn2.0.15 or higher.
This issue was patched in ALAS2-2025-2780.

References

Covert Timing Channel vulnerability report

medium severity

Covert Timing Channel

  • Vulnerable module: openssl11-libs
  • Introduced through: openssl11-libs@1:1.1.1g-12.amzn2.0.9
  • Fixed in: 1:1.1.1zb-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl11-libs@1:1.1.1g-12.amzn2.0.9

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl11-libs package and not the openssl11-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Issue summary: A timing side-channel which could potentially allow recovering the private key exists in the ECDSA signature computation.

Impact summary: A timing side-channel in ECDSA signature computations could allow recovering the private key by an attacker. However, measuring the timing would require either local access to the signing application or a very fast network connection with low latency.

There is a timing signal of around 300 nanoseconds when the top word of the inverted ECDSA nonce value is zero. This can happen with significant probability only for some of the supported elliptic curves. In particular the NIST P-521 curve is affected. To be able to measure this leak, the attacker process must either be located in the same physical computer or must have a very fast network connection with low latency. For that reason the severity of this vulnerability is Low.

The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.

Remediation

Upgrade Amazon-Linux:2 openssl11-libs to version 1:1.1.1zb-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2025-2781.

References

Covert Timing Channel vulnerability report

medium severity

Use After Free

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2153-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a :s command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive :s call causes free-ing of memory which may later then be accessed by the initial :s command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.2153-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2024-2452.

References

Use After Free vulnerability report

medium severity

Use After Free

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2153-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a :s command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive :s call causes free-ing of memory which may later then be accessed by the initial :s command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.2153-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2024-2452.

References

Use After Free vulnerability report

medium severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2153-1.amzn2.0.2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It's not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.2153-1.amzn2.0.2 or higher.
This issue was patched in ALAS2-2024-2711.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2153-1.amzn2.0.2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It's not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.2153-1.amzn2.0.2 or higher.
This issue was patched in ALAS2-2024-2711.

References

Heap-based Buffer Overflow vulnerability report

medium severity
new

Out-of-bounds Read

  • Vulnerable module: libpng
  • Introduced through: libpng@2:1.5.13-8.amzn2
  • Fixed in: 2:1.5.13-8.amzn2.0.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libpng@2:1.5.13-8.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng package and not the libpng package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to version 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_do_quantize function when processing PNG files with malformed palette indices. The vulnerability occurs when palette_lookup array bounds are not validated against externally-supplied image data, allowing an attacker to craft a PNG file with out-of-range palette indices that trigger out-of-bounds memory access. This issue has been patched in version 1.6.51.

Remediation

Upgrade Amazon-Linux:2 libpng to version 2:1.5.13-8.amzn2.0.6 or higher.
This issue was patched in ALAS2-2025-3112.

References

Out-of-bounds Read vulnerability report

medium severity

Arbitrary Argument Injection

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2153-1.amzn2.0.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim, a text editor, is vulnerable to potential data loss with zip.vim and special crafted zip files in versions prior to 9.1.1198. The impact is medium because a user must be made to view such an archive with Vim and then press 'x' on such a strange filename. The issue has been fixed as of Vim patch v9.1.1198.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.2153-1.amzn2.0.4 or higher.
This issue was patched in ALAS2-2025-2827.

References

Arbitrary Argument Injection vulnerability report

medium severity

Arbitrary Argument Injection

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2153-1.amzn2.0.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim, a text editor, is vulnerable to potential data loss with zip.vim and special crafted zip files in versions prior to 9.1.1198. The impact is medium because a user must be made to view such an archive with Vim and then press 'x' on such a strange filename. The issue has been fixed as of Vim patch v9.1.1198.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.2153-1.amzn2.0.4 or higher.
This issue was patched in ALAS2-2025-2827.

References

Arbitrary Argument Injection vulnerability report

medium severity

Special Element Injection

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.0.1-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:8.0.1-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2070.

References

Special Element Injection vulnerability report

medium severity

Special Element Injection

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.0.1-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:8.0.1-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2070.

References

Special Element Injection vulnerability report

medium severity

Information Exposure

  • Vulnerable module: nss-softokn
  • Introduced through: nss-softokn@3.67.0-3.amzn2.0.1
  • Fixed in: 0:3.90.0-6.amzn2.0.2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto nss-softokn@3.67.0-3.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream nss-softokn package and not the nss-softokn package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Multiple NSS NIST curves were susceptible to a side-channel attack known as "Minerva". This attack could potentially allow an attacker to recover the private key. This vulnerability affects Firefox < 121.

Remediation

Upgrade Amazon-Linux:2 nss-softokn to version 0:3.90.0-6.amzn2.0.2 or higher.
This issue was patched in ALAS2-2024-2456.

References

Information Exposure vulnerability report

medium severity

Information Exposure

  • Vulnerable module: nss-softokn-freebl
  • Introduced through: nss-softokn-freebl@3.67.0-3.amzn2.0.1
  • Fixed in: 0:3.90.0-6.amzn2.0.2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto nss-softokn-freebl@3.67.0-3.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream nss-softokn-freebl package and not the nss-softokn-freebl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Multiple NSS NIST curves were susceptible to a side-channel attack known as "Minerva". This attack could potentially allow an attacker to recover the private key. This vulnerability affects Firefox < 121.

Remediation

Upgrade Amazon-Linux:2 nss-softokn-freebl to version 0:3.90.0-6.amzn2.0.2 or higher.
This issue was patched in ALAS2-2024-2456.

References

Information Exposure vulnerability report

medium severity

Inefficient Regular Expression Complexity

  • Vulnerable module: python
  • Introduced through: python@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.13

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python package and not the python package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.

Remediation

Upgrade Amazon-Linux:2 python to version 0:2.7.18-1.amzn2.0.13 or higher.
This issue was patched in ALAS2-2025-2911.

References

Inefficient Regular Expression Complexity vulnerability report

medium severity

Inefficient Regular Expression Complexity

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.13

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python-libs@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python-libs package and not the python-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.

Remediation

Upgrade Amazon-Linux:2 python-libs to version 0:2.7.18-1.amzn2.0.13 or higher.
This issue was patched in ALAS2-2025-2911.

References

Inefficient Regular Expression Complexity vulnerability report

medium severity

Cleartext Transmission of Sensitive Information

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.88.0-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then not get upgraded properly to HSTS.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:7.88.0-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1986.

References

Cleartext Transmission of Sensitive Information vulnerability report

medium severity

Double Free

  • Vulnerable module: glibc
  • Introduced through: glibc@2.26-60.amzn2
  • Fixed in: 0:2.26-64.amzn2.0.5

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glibc@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library.

Remediation

Upgrade Amazon-Linux:2 glibc to version 0:2.26-64.amzn2.0.5 or higher.
This issue was patched in ALAS2-2025-3040.

References

Double Free vulnerability report

medium severity

Double Free

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.26-60.amzn2
  • Fixed in: 0:2.26-64.amzn2.0.5

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glibc-common@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc-common package and not the glibc-common package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library.

Remediation

Upgrade Amazon-Linux:2 glibc-common to version 0:2.26-64.amzn2.0.5 or higher.
This issue was patched in ALAS2-2025-3040.

References

Double Free vulnerability report

medium severity

Double Free

  • Vulnerable module: glibc-langpack-en
  • Introduced through: glibc-langpack-en@2.26-60.amzn2
  • Fixed in: 0:2.26-64.amzn2.0.5

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glibc-langpack-en@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc-langpack-en package and not the glibc-langpack-en package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library.

Remediation

Upgrade Amazon-Linux:2 glibc-langpack-en to version 0:2.26-64.amzn2.0.5 or higher.
This issue was patched in ALAS2-2025-3040.

References

Double Free vulnerability report

medium severity

Double Free

  • Vulnerable module: glibc-minimal-langpack
  • Introduced through: glibc-minimal-langpack@2.26-60.amzn2
  • Fixed in: 0:2.26-64.amzn2.0.5

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glibc-minimal-langpack@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc-minimal-langpack package and not the glibc-minimal-langpack package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library.

Remediation

Upgrade Amazon-Linux:2 glibc-minimal-langpack to version 0:2.26-64.amzn2.0.5 or higher.
This issue was patched in ALAS2-2025-3040.

References

Double Free vulnerability report

medium severity

Double Free

  • Vulnerable module: libcrypt
  • Introduced through: libcrypt@2.26-60.amzn2
  • Fixed in: 0:2.26-64.amzn2.0.5

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcrypt@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcrypt package and not the libcrypt package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library.

Remediation

Upgrade Amazon-Linux:2 libcrypt to version 0:2.26-64.amzn2.0.5 or higher.
This issue was patched in ALAS2-2025-3040.

References

Double Free vulnerability report

medium severity

Cleartext Transmission of Sensitive Information

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.88.0-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then not get upgraded properly to HSTS.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:7.88.0-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1986.

References

Cleartext Transmission of Sensitive Information vulnerability report

medium severity

Out-of-bounds Write

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2153-1.amzn2.0.3

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim is an open source, command line text editor. A segmentation fault was found in Vim before 9.1.1043. In silent Ex mode (-s -e), Vim typically doesn't show a screen and just operates silently in batch mode. However, it is still possible to trigger the function that handles the scrolling of a gui version of Vim by feeding some binary characters to Vim. The function that handles the scrolling however may be triggering a redraw, which will access the ScreenLines pointer, even so this variable hasn't been allocated (since there is no screen). This vulnerability is fixed in 9.1.1043.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.2153-1.amzn2.0.3 or higher.
This issue was patched in ALAS2-2025-2753.

References

Out-of-bounds Write vulnerability report

medium severity

Use After Free

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2153-1.amzn2.0.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim is a greatly improved version of the good old UNIX editor Vi. Vim allows to redirect screen messages using the :redir ex command to register, variables and files. It also allows to show the contents of registers using the :registers or :display ex command. When redirecting the output of :display to a register, Vim will free the register content before storing the new content in the register. Now when redirecting the :display command to a register that is being displayed, Vim will free the content while shortly afterwards trying to access it, which leads to a use-after-free. Vim pre 9.1.1115 checks in the ex_display() function, that it does not try to redirect to a register while displaying this register at the same time. However this check is not complete, and so Vim does not check the + and * registers (which typically donate the X11/clipboard registers, and when a clipboard connection is not possible will fall back to use register 0 instead. In Patch 9.1.1115 Vim will therefore skip outputting to register zero when trying to redirect to the clipboard registers * or +. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.2153-1.amzn2.0.4 or higher.
This issue was patched in ALAS2-2025-2827.

References

Use After Free vulnerability report

medium severity

Out-of-bounds Write

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2153-1.amzn2.0.3

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim is an open source, command line text editor. A segmentation fault was found in Vim before 9.1.1043. In silent Ex mode (-s -e), Vim typically doesn't show a screen and just operates silently in batch mode. However, it is still possible to trigger the function that handles the scrolling of a gui version of Vim by feeding some binary characters to Vim. The function that handles the scrolling however may be triggering a redraw, which will access the ScreenLines pointer, even so this variable hasn't been allocated (since there is no screen). This vulnerability is fixed in 9.1.1043.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.2153-1.amzn2.0.3 or higher.
This issue was patched in ALAS2-2025-2753.

References

Out-of-bounds Write vulnerability report

medium severity

Use After Free

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2153-1.amzn2.0.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim is a greatly improved version of the good old UNIX editor Vi. Vim allows to redirect screen messages using the :redir ex command to register, variables and files. It also allows to show the contents of registers using the :registers or :display ex command. When redirecting the output of :display to a register, Vim will free the register content before storing the new content in the register. Now when redirecting the :display command to a register that is being displayed, Vim will free the content while shortly afterwards trying to access it, which leads to a use-after-free. Vim pre 9.1.1115 checks in the ex_display() function, that it does not try to redirect to a register while displaying this register at the same time. However this check is not complete, and so Vim does not check the + and * registers (which typically donate the X11/clipboard registers, and when a clipboard connection is not possible will fall back to use register 0 instead. In Patch 9.1.1115 Vim will therefore skip outputting to register zero when trying to redirect to the clipboard registers * or +. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.2153-1.amzn2.0.4 or higher.
This issue was patched in ALAS2-2025-2827.

References

Use After Free vulnerability report

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2081-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim is an improved version of the good old UNIX editor Vi. Heap-use-after-free in memory allocated in the function ga_grow_inner in in the file src/alloc.c at line 748, which is freed in the file src/ex_docmd.c in the function do_cmdline at line 1010 and then used again in src/cmdhist.c at line 759. When using the :history command, it's possible that the provided argument overflows the accepted value. Causing an Integer Overflow and potentially later an use-after-free. This vulnerability has been patched in version 9.0.2068.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.2081-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2338.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2081-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim is an improved version of the good old UNIX editor Vi. Heap-use-after-free in memory allocated in the function ga_grow_inner in in the file src/alloc.c at line 748, which is freed in the file src/ex_docmd.c in the function do_cmdline at line 1010 and then used again in src/cmdhist.c at line 759. When using the :history command, it's possible that the provided argument overflows the accepted value. Causing an Integer Overflow and potentially later an use-after-free. This vulnerability has been patched in version 9.0.2068.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.2081-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2338.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Comparison Using Wrong Factors

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.3.0-1.amzn2.0.8

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended.

This affects curl using applications that enable HSTS and use URLs with the insecure HTTP:// scheme and perform transfers with hosts like x.example.com as well as example.com where the first host is a subdomain of the second host.

(The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.)

When x.example.com responds with Strict-Transport-Security: headers, this bug can make the subdomain's expiry timeout bleed over and get set for the parent domain example.com in curl's HSTS cache.

The result of a triggered bug is that HTTP accesses to example.com get converted to HTTPS for a different period of time than what was asked for by the origin server. If example.com for example stops supporting HTTPS at its expiry time, curl might then fail to access http://example.com until the (wrongly set) timeout expires. This bug can also expire the parent's entry earlier, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:8.3.0-1.amzn2.0.8 or higher.
This issue was patched in ALAS2-2025-2724.

References

Comparison Using Wrong Factors vulnerability report

medium severity

Comparison Using Wrong Factors

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.3.0-1.amzn2.0.8

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended.

This affects curl using applications that enable HSTS and use URLs with the insecure HTTP:// scheme and perform transfers with hosts like x.example.com as well as example.com where the first host is a subdomain of the second host.

(The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.)

When x.example.com responds with Strict-Transport-Security: headers, this bug can make the subdomain's expiry timeout bleed over and get set for the parent domain example.com in curl's HSTS cache.

The result of a triggered bug is that HTTP accesses to example.com get converted to HTTPS for a different period of time than what was asked for by the origin server. If example.com for example stops supporting HTTPS at its expiry time, curl might then fail to access http://example.com until the (wrongly set) timeout expires. This bug can also expire the parent's entry earlier, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:8.3.0-1.amzn2.0.8 or higher.
This issue was patched in ALAS2-2025-2724.

References

Comparison Using Wrong Factors vulnerability report

medium severity

Directory Traversal

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.0.1-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde () character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /2/foo while accessing a server with a specific user.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:8.0.1-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2070.

References

Directory Traversal vulnerability report

medium severity

Expected Behavior Violation

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.2.1-1.amzn2.0.2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously wasused to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:8.2.1-1.amzn2.0.2 or higher.
This issue was patched in ALAS2-2023-2230.

References

Expected Behavior Violation vulnerability report

medium severity

Authentication Bypass

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.5+8-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.5+8-1.amzn2.1 or higher.
This issue was patched in ALAS2-2022-1866.

References

Authentication Bypass vulnerability report

medium severity

Directory Traversal

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.8+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.8+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2023-2138.

References

Directory Traversal vulnerability report

medium severity

Improper Handling of Length Parameter Inconsistency

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.13+11-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.13+11-1.amzn2.1 or higher.
This issue was patched in ALAS2-2024-2683.

References

Improper Handling of Length Parameter Inconsistency vulnerability report

medium severity

Integer Coercion Error

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.5+8-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.5+8-1.amzn2.1 or higher.
This issue was patched in ALAS2-2022-1866.

References

Integer Coercion Error vulnerability report

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.13+11-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4 and 23. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.13+11-1.amzn2.1 or higher.
This issue was patched in ALAS2-2024-2683.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Loop with Unreachable Exit Condition ('Infinite Loop')

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.8+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Utility). Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.8+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2023-2138.

References

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability report

medium severity

Out-of-Bounds

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.9+8-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u381-perf, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: 21.3.7 and 22.3.3. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition,. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.9+8-1.amzn2.1 or higher.
This issue was patched in ALAS2-2023-2314.

References

Out-of-Bounds vulnerability report

medium severity

Out-of-bounds Read

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.8+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.8+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2023-2138.

References

Out-of-bounds Read vulnerability report

medium severity

Out-of-bounds Read

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.8+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371-perf, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.8+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2023-2138.

References

Out-of-bounds Read vulnerability report

medium severity

Reliance on File Name or Extension of Externally-Supplied File

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.6+10-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Sound). Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf, 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.6+10-1.amzn2.1 or higher.
This issue was patched in ALAS2-2023-1919.

References

Reliance on File Name or Extension of Externally-Supplied File vulnerability report

medium severity

Uncontrolled Memory Allocation

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.13+11-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.13+11-1.amzn2.1 or higher.
This issue was patched in ALAS2-2024-2683.

References

Uncontrolled Memory Allocation vulnerability report

medium severity

Use of Insufficiently Random Values

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.5+8-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.5+8-1.amzn2.1 or higher.
This issue was patched in ALAS2-2022-1866.

References

Use of Insufficiently Random Values vulnerability report

medium severity

Directory Traversal

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.0.1-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde () character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /2/foo while accessing a server with a specific user.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:8.0.1-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2070.

References

Directory Traversal vulnerability report

medium severity

Expected Behavior Violation

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.2.1-1.amzn2.0.2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously wasused to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:8.2.1-1.amzn2.0.2 or higher.
This issue was patched in ALAS2-2023-2230.

References

Expected Behavior Violation vulnerability report

medium severity

Resource Exhaustion

  • Vulnerable module: openssl11-libs
  • Introduced through: openssl11-libs@1:1.1.1g-12.amzn2.0.9
  • Fixed in: 1:1.1.1g-12.amzn2.0.21

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl11-libs@1:1.1.1g-12.amzn2.0.9

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl11-libs package and not the openssl11-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions

Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service

This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation.

This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients.

The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue.

Remediation

Upgrade Amazon-Linux:2 openssl11-libs to version 1:1.1.1g-12.amzn2.0.21 or higher.
This issue was patched in ALAS2-2024-2564.

References

Resource Exhaustion vulnerability report

medium severity

Improper Validation of Specified Type of Input

  • Vulnerable module: python
  • Introduced through: python@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.11

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python package and not the python package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts ([]), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.

Remediation

Upgrade Amazon-Linux:2 python to version 0:2.7.18-1.amzn2.0.11 or higher.
This issue was patched in ALAS2-2025-2797.

References

Improper Validation of Specified Type of Input vulnerability report

medium severity

Improper Validation of Specified Type of Input

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.11

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python-libs@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python-libs package and not the python-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts ([]), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.

Remediation

Upgrade Amazon-Linux:2 python-libs to version 0:2.7.18-1.amzn2.0.11 or higher.
This issue was patched in ALAS2-2025-2797.

References

Improper Validation of Specified Type of Input vulnerability report

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.2.1-1.amzn2.0.2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via a large value as the retry delay. NOTE: many parties report that this has no direct security impact on the curl user; however, it may (in theory) cause a denial of service to associated systems or networks if, for example, --retry-delay is misinterpreted as a value much smaller than what was intended. This is not especially plausible because the overflow only happens if the user was trying to specify that curl should wait weeks (or longer) before trying to recover from a transient error.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:8.2.1-1.amzn2.0.2 or higher.
This issue was patched in ALAS2-2023-2230.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Improper Data Handling

  • Vulnerable module: glibc
  • Introduced through: glibc@2.26-60.amzn2
  • Fixed in: 0:2.26-62.amzn2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glibc@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.

Remediation

Upgrade Amazon-Linux:2 glibc to version 0:2.26-62.amzn2 or higher.
This issue was patched in ALAS2-2022-1869.

References

Improper Data Handling vulnerability report

medium severity

Improper Data Handling

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.26-60.amzn2
  • Fixed in: 0:2.26-62.amzn2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glibc-common@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc-common package and not the glibc-common package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.

Remediation

Upgrade Amazon-Linux:2 glibc-common to version 0:2.26-62.amzn2 or higher.
This issue was patched in ALAS2-2022-1869.

References

Improper Data Handling vulnerability report

medium severity

Improper Data Handling

  • Vulnerable module: glibc-langpack-en
  • Introduced through: glibc-langpack-en@2.26-60.amzn2
  • Fixed in: 0:2.26-62.amzn2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glibc-langpack-en@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc-langpack-en package and not the glibc-langpack-en package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.

Remediation

Upgrade Amazon-Linux:2 glibc-langpack-en to version 0:2.26-62.amzn2 or higher.
This issue was patched in ALAS2-2022-1869.

References

Improper Data Handling vulnerability report

medium severity

Improper Data Handling

  • Vulnerable module: glibc-minimal-langpack
  • Introduced through: glibc-minimal-langpack@2.26-60.amzn2
  • Fixed in: 0:2.26-62.amzn2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glibc-minimal-langpack@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc-minimal-langpack package and not the glibc-minimal-langpack package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.

Remediation

Upgrade Amazon-Linux:2 glibc-minimal-langpack to version 0:2.26-62.amzn2 or higher.
This issue was patched in ALAS2-2022-1869.

References

Improper Data Handling vulnerability report

medium severity

Improper Data Handling

  • Vulnerable module: libcrypt
  • Introduced through: libcrypt@2.26-60.amzn2
  • Fixed in: 0:2.26-62.amzn2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcrypt@2.26-60.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcrypt package and not the libcrypt package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.

Remediation

Upgrade Amazon-Linux:2 libcrypt to version 0:2.26-62.amzn2 or higher.
This issue was patched in ALAS2-2022-1869.

References

Improper Data Handling vulnerability report

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.2.1-1.amzn2.0.2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via a large value as the retry delay. NOTE: many parties report that this has no direct security impact on the curl user; however, it may (in theory) cause a denial of service to associated systems or networks if, for example, --retry-delay is misinterpreted as a value much smaller than what was intended. This is not especially plausible because the overflow only happens if the user was trying to specify that curl should wait weeks (or longer) before trying to recover from a transient error.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:8.2.1-1.amzn2.0.2 or higher.
This issue was patched in ALAS2-2023-2230.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Out-of-Bounds

  • Vulnerable module: libsepol
  • Introduced through: libsepol@2.5-8.1.amzn2.0.2
  • Fixed in: 0:2.5-10.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libsepol@2.5-8.1.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libsepol package and not the libsepol package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block.

Remediation

Upgrade Amazon-Linux:2 libsepol to version 0:2.5-10.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2307.

References

Out-of-Bounds vulnerability report

medium severity

Use After Free

  • Vulnerable module: libsepol
  • Introduced through: libsepol@2.5-8.1.amzn2.0.2
  • Fixed in: 0:2.5-10.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libsepol@2.5-8.1.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libsepol package and not the libsepol package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map).

Remediation

Upgrade Amazon-Linux:2 libsepol to version 0:2.5-10.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2307.

References

Use After Free vulnerability report

medium severity

Use After Free

  • Vulnerable module: libsepol
  • Introduced through: libsepol@2.5-8.1.amzn2.0.2
  • Fixed in: 0:2.5-10.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libsepol@2.5-8.1.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libsepol package and not the libsepol package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper).

Remediation

Upgrade Amazon-Linux:2 libsepol to version 0:2.5-10.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2307.

References

Use After Free vulnerability report

medium severity

Use After Free

  • Vulnerable module: libsepol
  • Introduced through: libsepol@2.5-8.1.amzn2.0.2
  • Fixed in: 0:2.5-10.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libsepol@2.5-8.1.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libsepol package and not the libsepol package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).

Remediation

Upgrade Amazon-Linux:2 libsepol to version 0:2.5-10.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2307.

References

Use After Free vulnerability report

medium severity

NULL Pointer Dereference

  • Vulnerable module: ncurses
  • Introduced through: ncurses@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.8

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

Remediation

Upgrade Amazon-Linux:2 ncurses to version 0:6.0-8.20170212.amzn2.1.8 or higher.
This issue was patched in ALAS2-2024-2482.

References

NULL Pointer Dereference vulnerability report

medium severity

NULL Pointer Dereference

  • Vulnerable module: ncurses-base
  • Introduced through: ncurses-base@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.8

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses-base@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses-base package and not the ncurses-base package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

Remediation

Upgrade Amazon-Linux:2 ncurses-base to version 0:6.0-8.20170212.amzn2.1.8 or higher.
This issue was patched in ALAS2-2024-2482.

References

NULL Pointer Dereference vulnerability report

medium severity

NULL Pointer Dereference

  • Vulnerable module: ncurses-libs
  • Introduced through: ncurses-libs@6.0-8.20170212.amzn2.1.3
  • Fixed in: 0:6.0-8.20170212.amzn2.1.8

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ncurses-libs@6.0-8.20170212.amzn2.1.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses-libs package and not the ncurses-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

Remediation

Upgrade Amazon-Linux:2 ncurses-libs to version 0:6.0-8.20170212.amzn2.1.8 or higher.
This issue was patched in ALAS2-2024-2482.

References

NULL Pointer Dereference vulnerability report

medium severity

Improper Validation of Syntactic Correctness of Input

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.79.1-6.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:7.79.1-6.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1875.

References

Improper Validation of Syntactic Correctness of Input vulnerability report

medium severity

Directory Traversal

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.8+7-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.8+7-1.amzn2.1 or higher.
This issue was patched in ALAS2-2023-2138.

References

Directory Traversal vulnerability report

medium severity

Improper Validation of Syntactic Correctness of Input

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:7.79.1-6.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:7.79.1-6.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1875.

References

Improper Validation of Syntactic Correctness of Input vulnerability report

medium severity

Out-of-Bounds

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2153-1.amzn2.0.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A vulnerability classified as problematic was found in vim up to 9.1.1096. This vulnerability affects unknown code of the file src/main.c. The manipulation of the argument --log leads to memory corruption. It is possible to launch the attack on the local host. Upgrading to version 9.1.1097 is able to address this issue. The patch is identified as c5654b84480822817bb7b69ebc97c174c91185e9. It is recommended to upgrade the affected component.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.2153-1.amzn2.0.4 or higher.
This issue was patched in ALAS2-2025-2827.

References

Out-of-Bounds vulnerability report

medium severity

Out-of-Bounds

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2153-1.amzn2.0.4

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A vulnerability classified as problematic was found in vim up to 9.1.1096. This vulnerability affects unknown code of the file src/main.c. The manipulation of the argument --log leads to memory corruption. It is possible to launch the attack on the local host. Upgrading to version 9.1.1097 is able to address this issue. The patch is identified as c5654b84480822817bb7b69ebc97c174c91185e9. It is recommended to upgrade the affected component.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.2153-1.amzn2.0.4 or higher.
This issue was patched in ALAS2-2025-2827.

References

Out-of-Bounds vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: python
  • Introduced through: python@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.10

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python package and not the python package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).

Remediation

Upgrade Amazon-Linux:2 python to version 0:2.7.18-1.amzn2.0.10 or higher.
This issue was patched in ALAS2-2025-2744.

References

Improper Input Validation vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.18-1.amzn2.0.5
  • Fixed in: 0:2.7.18-1.amzn2.0.10

Detailed paths

  • Introduced through: tomcat@jdk17-corretto python-libs@2.7.18-1.amzn2.0.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python-libs package and not the python-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).

Remediation

Upgrade Amazon-Linux:2 python-libs to version 0:2.7.18-1.amzn2.0.10 or higher.
This issue was patched in ALAS2-2025-2744.

References

Improper Input Validation vulnerability report

medium severity

CVE-2025-11563

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.3.0-1.amzn2.0.11

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:8.3.0-1.amzn2.0.11 or higher.
This issue was patched in ALAS2-2025-3088.

References

CVE-2025-11563 vulnerability report

medium severity

CVE-2025-11563

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.3.0-1.amzn2.0.11

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:8.3.0-1.amzn2.0.11 or higher.
This issue was patched in ALAS2-2025-3088.

References

CVE-2025-11563 vulnerability report

medium severity

Improperly Implemented Security Check for Standard

  • Vulnerable module: libgcc
  • Introduced through: libgcc@7.3.1-15.amzn2
  • Fixed in: 0:7.3.1-17.amzn2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libgcc@7.3.1-15.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libgcc package and not the libgcc package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

DISPUTEDA failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables.

The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.

Remediation

Upgrade Amazon-Linux:2 libgcc to version 0:7.3.1-17.amzn2 or higher.
This issue was patched in ALAS2-2023-2245.

References

Improperly Implemented Security Check for Standard vulnerability report

medium severity

Improperly Implemented Security Check for Standard

  • Vulnerable module: libstdc++
  • Introduced through: libstdc++@7.3.1-15.amzn2
  • Fixed in: 0:7.3.1-17.amzn2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libstdc++@7.3.1-15.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libstdc++ package and not the libstdc++ package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

DISPUTEDA failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables.

The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.

Remediation

Upgrade Amazon-Linux:2 libstdc++ to version 0:7.3.1-17.amzn2 or higher.
This issue was patched in ALAS2-2023-2245.

References

Improperly Implemented Security Check for Standard vulnerability report

low severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0211.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Heap-based Buffer Overflow vulnerability report

low severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0045.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Heap-based Buffer Overflow vulnerability report

low severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Heap-based Buffer Overflow vulnerability report

low severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0044.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Heap-based Buffer Overflow vulnerability report

low severity

Integer Overflow or Wraparound

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Integer Overflow or Wraparound vulnerability report

low severity

Out-of-bounds Read

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0212.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Out-of-bounds Read vulnerability report

low severity

Out-of-bounds Read

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Out-of-bounds Read vulnerability report

low severity

Out-of-bounds Read

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Out-of-bounds Read vulnerability report

low severity

Stack-based Buffer Overflow

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Stack-based Buffer Overflow vulnerability report

low severity

Use After Free

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0213.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Use After Free vulnerability report

low severity

Use After Free

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0260.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Use After Free vulnerability report

low severity

Use After Free

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0286.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Use After Free vulnerability report

low severity

Use After Free

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0221.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Use After Free vulnerability report

low severity

Use After Free

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0360.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Use After Free vulnerability report

low severity

Use After Free

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0246.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Use After Free vulnerability report

low severity

Use After Free

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0322.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Use After Free vulnerability report

low severity

Use After Free

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0225.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Use After Free vulnerability report

low severity

Use After Free

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0046.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Use After Free vulnerability report

low severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Heap-based Buffer Overflow vulnerability report

low severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0045.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Heap-based Buffer Overflow vulnerability report

low severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0211.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Heap-based Buffer Overflow vulnerability report

low severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0044.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Heap-based Buffer Overflow vulnerability report

low severity

Integer Overflow or Wraparound

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Integer Overflow or Wraparound vulnerability report

low severity

Out-of-bounds Read

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Out-of-bounds Read vulnerability report

low severity

Out-of-bounds Read

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Out-of-bounds Read vulnerability report

low severity

Out-of-bounds Read

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0212.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Out-of-bounds Read vulnerability report

low severity

Stack-based Buffer Overflow

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Stack-based Buffer Overflow vulnerability report

low severity

Use After Free

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0213.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Use After Free vulnerability report

low severity

Use After Free

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0046.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Use After Free vulnerability report

low severity

Use After Free

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0225.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Use After Free vulnerability report

low severity

Use After Free

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0246.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Use After Free vulnerability report

low severity

Use After Free

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0286.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Use After Free vulnerability report

low severity

Use After Free

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0322.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Use After Free vulnerability report

low severity

Use After Free

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0260.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Use After Free vulnerability report

low severity

Use After Free

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0360.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Use After Free vulnerability report

low severity

Use After Free

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.0221.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Use After Free vulnerability report

low severity

Divide By Zero

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1367-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Divide By Zero in GitHub repository vim/vim prior to 9.0.1367.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1367-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1991.

References

Divide By Zero vulnerability report

low severity

Divide By Zero

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1367-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Divide By Zero in GitHub repository vim/vim prior to 9.0.1367.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1367-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-1991.

References

Divide By Zero vulnerability report

low severity

Out-of-bounds Read

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Out-of-bounds Read vulnerability report

low severity

Out-of-bounds Read

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Out-of-bounds Read vulnerability report

low severity

Resource Exhaustion

  • Vulnerable module: elfutils-libelf
  • Introduced through: elfutils-libelf@0.176-2.amzn2
  • Fixed in: 0:0.176-2.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto elfutils-libelf@0.176-2.amzn2

NVD Description

Note: Versions mentioned in the description apply only to the upstream elfutils-libelf package and not the elfutils-libelf package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

In elfutils 0.183, an infinite loop was found in the function handle_symtab in readelf.c .Which allows attackers to cause a denial of service (infinite loop) via crafted file.

Remediation

Upgrade Amazon-Linux:2 elfutils-libelf to version 0:0.176-2.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2197.

References

Resource Exhaustion vulnerability report

low severity

Integer Overflow or Wraparound

  • Vulnerable module: gmp
  • Introduced through: gmp@1:6.0.0-15.amzn2.0.2
  • Fixed in: 1:6.0.0-15.amzn2.0.3

Detailed paths

  • Introduced through: tomcat@jdk17-corretto gmp@1:6.0.0-15.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream gmp package and not the gmp package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.

Remediation

Upgrade Amazon-Linux:2 gmp to version 1:6.0.0-15.amzn2.0.3 or higher.
This issue was patched in ALAS2-2023-2369.

References

Integer Overflow or Wraparound vulnerability report

low severity

Out-of-bounds Read

  • Vulnerable module: gawk
  • Introduced through: gawk@4.0.2-4.amzn2.1.2
  • Fixed in: 0:4.0.2-4.amzn2.1.3

Detailed paths

  • Introduced through: tomcat@jdk17-corretto gawk@4.0.2-4.amzn2.1.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream gawk package and not the gawk package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A heap out-of-bounds read flaw was found in builtin.c in the gawk package. This issue may lead to a crash and could be used to read sensitive information.

Remediation

Upgrade Amazon-Linux:2 gawk to version 0:4.0.2-4.amzn2.1.3 or higher.
This issue was patched in ALAS2-2023-2357.

References

Out-of-bounds Read vulnerability report

low severity

NULL Pointer Dereference

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.2k-24.amzn2.0.4
  • Fixed in: 1:1.0.2k-24.amzn2.0.12

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl-libs@1:1.0.2k-24.amzn2.0.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl-libs package and not the openssl-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack

Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly.

A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue.

OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass().

We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant.

The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.

Remediation

Upgrade Amazon-Linux:2 openssl-libs to version 1:1.0.2k-24.amzn2.0.12 or higher.
This issue was patched in ALAS2-2024-2479.

References

NULL Pointer Dereference vulnerability report

low severity

NULL Pointer Dereference

  • Vulnerable module: openssl11-libs
  • Introduced through: openssl11-libs@1:1.1.1g-12.amzn2.0.9
  • Fixed in: 1:1.1.1g-12.amzn2.0.20

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl11-libs@1:1.1.1g-12.amzn2.0.9

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl11-libs package and not the openssl11-libs package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack

Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly.

A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue.

OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass().

We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant.

The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.

Remediation

Upgrade Amazon-Linux:2 openssl11-libs to version 1:1.1.1g-12.amzn2.0.20 or higher.
This issue was patched in ALAS2-2024-2478.

References

NULL Pointer Dereference vulnerability report

low severity

NULL Pointer Dereference

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0240.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

NULL Pointer Dereference vulnerability report

low severity

NULL Pointer Dereference

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0259.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

NULL Pointer Dereference vulnerability report

low severity

NULL Pointer Dereference

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1882-1.amzn2.0.3

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

NULL Pointer Dereference in GitHub repository vim/vim prior to 20d161ace307e28690229b68584f2d84556f8960.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1882-1.amzn2.0.3 or higher.
This issue was patched in ALAS2-2023-2319.

References

NULL Pointer Dereference vulnerability report

low severity

NULL Pointer Dereference

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0240.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

NULL Pointer Dereference vulnerability report

low severity

NULL Pointer Dereference

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0259.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

NULL Pointer Dereference vulnerability report

low severity

NULL Pointer Dereference

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1882-1.amzn2.0.3

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

NULL Pointer Dereference in GitHub repository vim/vim prior to 20d161ace307e28690229b68584f2d84556f8960.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1882-1.amzn2.0.3 or higher.
This issue was patched in ALAS2-2023-2319.

References

NULL Pointer Dereference vulnerability report

low severity

Missing Encryption of Sensitive Data

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.3.0-1.amzn2.0.5

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:8.3.0-1.amzn2.0.5 or higher.
This issue was patched in ALAS2-2024-2385.

References

Missing Encryption of Sensitive Data vulnerability report

low severity

Out-of-bounds Read

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.3.0-1.amzn2.0.10

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

  1. A cookie is set using the secure keyword for https://target
  2. curl is redirected to or otherwise made to speak with http://target (same hostname, but using clear text HTTP) using the same cookie set
  3. The same cookie name is set - but with just a slash as path (path=\&#34;/\&#34;,). Since this site is not secure, the cookie should just be ignored.
  4. A bug in the path comparison logic makes curl read outside a heap buffer boundary

The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path.

The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:8.3.0-1.amzn2.0.10 or higher.
This issue was patched in ALAS2-2025-3056.

References

Out-of-bounds Read vulnerability report

low severity

Link Following

  • Vulnerable module: glib2
  • Introduced through: glib2@2.56.1-9.amzn2.0.2
  • Fixed in: 0:2.56.1-9.amzn2.0.7

Detailed paths

  • Introduced through: tomcat@jdk17-corretto glib2@2.56.1-9.amzn2.0.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glib2 package and not the glib2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)

Remediation

Upgrade Amazon-Linux:2 glib2 to version 0:2.56.1-9.amzn2.0.7 or higher.
This issue was patched in ALAS2-2024-2487.

References

Link Following vulnerability report

low severity

Missing Encryption of Sensitive Data

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.3.0-1.amzn2.0.5

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:8.3.0-1.amzn2.0.5 or higher.
This issue was patched in ALAS2-2024-2385.

References

Missing Encryption of Sensitive Data vulnerability report

low severity

Out-of-bounds Read

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.3.0-1.amzn2.0.10

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

  1. A cookie is set using the secure keyword for https://target
  2. curl is redirected to or otherwise made to speak with http://target (same hostname, but using clear text HTTP) using the same cookie set
  3. The same cookie name is set - but with just a slash as path (path=\&#34;/\&#34;,). Since this site is not secure, the cookie should just be ignored.
  4. A bug in the path comparison logic makes curl read outside a heap buffer boundary

The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path.

The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:8.3.0-1.amzn2.0.10 or higher.
This issue was patched in ALAS2-2025-3056.

References

Out-of-bounds Read vulnerability report

low severity

Out-of-bounds Write

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Out-of-bounds Write vulnerability report

low severity

Out-of-bounds Write

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Out-of-bounds Write vulnerability report

low severity

Integer Overflow or Wraparound

  • Vulnerable module: libblkid
  • Introduced through: libblkid@2.30.2-2.amzn2.0.7
  • Fixed in: 0:2.30.2-2.amzn2.0.11

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libblkid@2.30.2-2.amzn2.0.7

NVD Description

Note: Versions mentioned in the description apply only to the upstream libblkid package and not the libblkid package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file. NOTE: this is unexploitable in GNU C Library environments, and possibly in all realistic environments.

Remediation

Upgrade Amazon-Linux:2 libblkid to version 0:2.30.2-2.amzn2.0.11 or higher.
This issue was patched in ALAS2-2023-1920.

References

Integer Overflow or Wraparound vulnerability report

low severity

Integer Overflow or Wraparound

  • Vulnerable module: libmount
  • Introduced through: libmount@2.30.2-2.amzn2.0.7
  • Fixed in: 0:2.30.2-2.amzn2.0.11

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libmount@2.30.2-2.amzn2.0.7

NVD Description

Note: Versions mentioned in the description apply only to the upstream libmount package and not the libmount package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file. NOTE: this is unexploitable in GNU C Library environments, and possibly in all realistic environments.

Remediation

Upgrade Amazon-Linux:2 libmount to version 0:2.30.2-2.amzn2.0.11 or higher.
This issue was patched in ALAS2-2023-1920.

References

Integer Overflow or Wraparound vulnerability report

low severity

Integer Overflow or Wraparound

  • Vulnerable module: libuuid
  • Introduced through: libuuid@2.30.2-2.amzn2.0.7
  • Fixed in: 0:2.30.2-2.amzn2.0.11

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libuuid@2.30.2-2.amzn2.0.7

NVD Description

Note: Versions mentioned in the description apply only to the upstream libuuid package and not the libuuid package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file. NOTE: this is unexploitable in GNU C Library environments, and possibly in all realistic environments.

Remediation

Upgrade Amazon-Linux:2 libuuid to version 0:2.30.2-2.amzn2.0.11 or higher.
This issue was patched in ALAS2-2023-1920.

References

Integer Overflow or Wraparound vulnerability report

low severity

Use After Free

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2153-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a :s command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive :s call causes free-ing of memory which may later then be accessed by the initial :s command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.2153-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2024-2384.

References

Use After Free vulnerability report

low severity

Use After Free

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2153-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a :s command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive :s call causes free-ing of memory which may later then be accessed by the initial :s command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.2153-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2024-2384.

References

Use After Free vulnerability report

low severity

Use After Free

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Use After Free vulnerability report

low severity

Use After Free

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to 9.0.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Use After Free vulnerability report

low severity

Improper Handling of Exceptional Conditions

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2120-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim is an open source command line text editor. A floating point exception may occur when calculating the line offset for overlong lines and smooth scrolling is enabled and the cpo-settings include the 'n' flag. This may happen when a window border is present and when the wrapped line continues on the next physical line directly in the window border because the 'cpo' setting includes the 'n' flag. Only users with non-default settings are affected and the exception should only result in a crash. This issue has been addressed in commit cb0b99f0 which has been included in release version 9.0.2107. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.2120-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2353.

References

Improper Handling of Exceptional Conditions vulnerability report

low severity

Integer Overflow or Wraparound

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2120-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim is an open source command line text editor. In affected versions when shifting lines in operator pending mode and using a very large value, it may be possible to overflow the size of integer. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit 6bf131888 which has been included in version 9.0.2112. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.2120-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2353.

References

Integer Overflow or Wraparound vulnerability report

low severity

Integer Overflow or Wraparound

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2120-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim is an open source command line text editor. When using the z= command, the user may overflow the count with values larger than MAX_INT. Impact is low, user interaction is required and a crash may not even happen in all situations. This vulnerability has been addressed in commit 73b2d379 which has been included in release version 9.0.2111. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.2120-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2353.

References

Integer Overflow or Wraparound vulnerability report

low severity

Integer Overflow or Wraparound

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2120-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim is an open source command line text editor. If the count after the :s command is larger than what fits into a (signed) long variable, abort with e_value_too_large. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit ac6378773 which has been included in release version 9.0.2108. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.2120-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2353.

References

Integer Overflow or Wraparound vulnerability report

low severity

Integer Overflow or Wraparound

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2120-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim is an open source command line text editor. When getting the count for a normal mode z command, it may overflow for large counts given. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit 58f9befca1 which has been included in release version 9.0.2109. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.2120-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2353.

References

Integer Overflow or Wraparound vulnerability report

low severity

Integer Overflow or Wraparound

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2120-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim is an open source command line text editor. When parsing relative ex addresses one may unintentionally cause an overflow. Ironically this happens in the existing overflow check, because the line number becomes negative and LONG_MAX - lnum will cause the overflow. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit 060623e which has been included in release version 9.0.2110. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.2120-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2353.

References

Integer Overflow or Wraparound vulnerability report

low severity

Use After Free

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2120-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim is an open source command line text editor. When closing a window, vim may try to access already freed window structure. Exploitation beyond crashing the application has not been shown to be viable. This issue has been addressed in commit 25aabc2b which has been included in release version 9.0.2106. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.2120-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2353.

References

Use After Free vulnerability report

low severity

Improper Handling of Exceptional Conditions

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2120-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim is an open source command line text editor. A floating point exception may occur when calculating the line offset for overlong lines and smooth scrolling is enabled and the cpo-settings include the 'n' flag. This may happen when a window border is present and when the wrapped line continues on the next physical line directly in the window border because the 'cpo' setting includes the 'n' flag. Only users with non-default settings are affected and the exception should only result in a crash. This issue has been addressed in commit cb0b99f0 which has been included in release version 9.0.2107. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.2120-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2353.

References

Improper Handling of Exceptional Conditions vulnerability report

low severity

Integer Overflow or Wraparound

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2120-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim is an open source command line text editor. When getting the count for a normal mode z command, it may overflow for large counts given. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit 58f9befca1 which has been included in release version 9.0.2109. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.2120-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2353.

References

Integer Overflow or Wraparound vulnerability report

low severity

Integer Overflow or Wraparound

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2120-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim is an open source command line text editor. When using the z= command, the user may overflow the count with values larger than MAX_INT. Impact is low, user interaction is required and a crash may not even happen in all situations. This vulnerability has been addressed in commit 73b2d379 which has been included in release version 9.0.2111. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.2120-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2353.

References

Integer Overflow or Wraparound vulnerability report

low severity

Integer Overflow or Wraparound

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2120-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim is an open source command line text editor. If the count after the :s command is larger than what fits into a (signed) long variable, abort with e_value_too_large. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit ac6378773 which has been included in release version 9.0.2108. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.2120-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2353.

References

Integer Overflow or Wraparound vulnerability report

low severity

Integer Overflow or Wraparound

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2120-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim is an open source command line text editor. When parsing relative ex addresses one may unintentionally cause an overflow. Ironically this happens in the existing overflow check, because the line number becomes negative and LONG_MAX - lnum will cause the overflow. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit 060623e which has been included in release version 9.0.2110. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.2120-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2353.

References

Integer Overflow or Wraparound vulnerability report

low severity

Integer Overflow or Wraparound

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2120-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim is an open source command line text editor. In affected versions when shifting lines in operator pending mode and using a very large value, it may be possible to overflow the size of integer. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit 6bf131888 which has been included in version 9.0.2112. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.2120-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2353.

References

Integer Overflow or Wraparound vulnerability report

low severity

Use After Free

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.2120-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vim is an open source command line text editor. When closing a window, vim may try to access already freed window structure. Exploitation beyond crashing the application has not been shown to be viable. This issue has been addressed in commit 25aabc2b which has been included in release version 9.0.2106. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.2120-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2353.

References

Use After Free vulnerability report

low severity

Insufficient Verification of Data Authenticity

  • Vulnerable module: ca-certificates
  • Introduced through: ca-certificates@2021.2.50-72.amzn2.0.3
  • Fixed in: 0:2023.2.68-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto ca-certificates@2021.2.50-72.amzn2.0.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream ca-certificates package and not the ca-certificates package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from GLOBALTRUST. Certifi 2024.7.04 removes root certificates from GLOBALTRUST from the root store. These are in the process of being removed from Mozilla's trust store. GLOBALTRUST's root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues."

Remediation

Upgrade Amazon-Linux:2 ca-certificates to version 0:2023.2.68-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2024-2607.

References

Insufficient Verification of Data Authenticity vulnerability report

low severity

Improper Output Neutralization for Logs

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.11+9-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.11+9-1.amzn2.1 or higher.
This issue was patched in ALAS2-2024-2528.

References

Improper Output Neutralization for Logs vulnerability report

low severity

Integer Overflow or Wraparound

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.11+9-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2 and 22; Oracle GraalVM Enterprise Edition: 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.11+9-1.amzn2.1 or higher.
This issue was patched in ALAS2-2024-2528.

References

Integer Overflow or Wraparound vulnerability report

low severity

Out-of-bounds Write

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.11+9-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.11+9-1.amzn2.1 or higher.
This issue was patched in ALAS2-2024-2528.

References

Out-of-bounds Write vulnerability report

low severity

Reliance on Reverse DNS Resolution for a Security-Critical Action

  • Vulnerable module: java-17-amazon-corretto-devel
  • Introduced through: java-17-amazon-corretto-devel@1:17.0.4.9-1
  • Fixed in: 1:17.0.11+9-1.amzn2.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto java-17-amazon-corretto-devel@1:17.0.4.9-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-17-amazon-corretto-devel package and not the java-17-amazon-corretto-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade Amazon-Linux:2 java-17-amazon-corretto-devel to version 1:17.0.11+9-1.amzn2.1 or higher.
This issue was patched in ALAS2-2024-2528.

References

Reliance on Reverse DNS Resolution for a Security-Critical Action vulnerability report

low severity

Memory Leak

  • Vulnerable module: libcap
  • Introduced through: libcap@2.54-1.amzn2.0.1
  • Fixed in: 0:2.54-1.amzn2.0.2

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcap@2.54-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcap package and not the libcap package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A vulnerability was found in the pthread_create() function in libcap. This issue may allow a malicious actor to use cause __real_pthread_create() to return an error, which can exhaust the process memory.

Remediation

Upgrade Amazon-Linux:2 libcap to version 0:2.54-1.amzn2.0.2 or higher.
This issue was patched in ALAS2-2023-2136.

References

Memory Leak vulnerability report

low severity
new

Uncontrolled Recursion

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.amzn2.5.5
  • Fixed in: 0:2.9.1-6.amzn2.5.21

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libxml2@2.9.1-6.amzn2.5.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that "[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all."

Remediation

Upgrade Amazon-Linux:2 libxml2 to version 0:2.9.1-6.amzn2.5.21 or higher.
This issue was patched in ALAS2-2026-3122.

References

Uncontrolled Recursion vulnerability report

low severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Heap-based Buffer Overflow vulnerability report

low severity

Use After Free

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1882-1.amzn2.0.3

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to v9.0.2010.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.1882-1.amzn2.0.3 or higher.
This issue was patched in ALAS2-2023-2319.

References

Use After Free vulnerability report

low severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Heap-based Buffer Overflow vulnerability report

low severity

Use After Free

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.1882-1.amzn2.0.3

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Use After Free in GitHub repository vim/vim prior to v9.0.2010.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.1882-1.amzn2.0.3 or higher.
This issue was patched in ALAS2-2023-2319.

References

Use After Free vulnerability report

low severity

Buffer Under-read

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Improper Validation of Specified Quantity in Input in GitHub repository vim/vim prior to 9.0.0218.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Buffer Under-read vulnerability report

low severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-data
  • Introduced through: vim-data@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-data@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-data package and not the vim-data package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0220.

Remediation

Upgrade Amazon-Linux:2 vim-data to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Heap-based Buffer Overflow vulnerability report

low severity

Buffer Under-read

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Improper Validation of Specified Quantity in Input in GitHub repository vim/vim prior to 9.0.0218.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Buffer Under-read vulnerability report

low severity

Heap-based Buffer Overflow

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:8.2.5172-1.amzn2.0.1
  • Fixed in: 2:9.0.475-1.amzn2.0.1

Detailed paths

  • Introduced through: tomcat@jdk17-corretto vim-minimal@2:8.2.5172-1.amzn2.0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0220.

Remediation

Upgrade Amazon-Linux:2 vim-minimal to version 2:9.0.475-1.amzn2.0.1 or higher.
This issue was patched in ALAS2-2022-1868.

References

Heap-based Buffer Overflow vulnerability report

low severity

ALAS2-2024-2490

  • Vulnerable module: curl
  • Introduced through: curl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.3.0-1.amzn2.0.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto curl@7.79.1-4.amzn2.0.1

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

Upgrade Amazon-Linux:2 curl to version 0:8.3.0-1.amzn2.0.6 or higher.
This issue was patched in ALAS2-2024-2490.

ALAS2-2024-2490 vulnerability report

low severity

ALAS2-2024-2490

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.79.1-4.amzn2.0.1
  • Fixed in: 0:8.3.0-1.amzn2.0.6

Detailed paths

  • Introduced through: tomcat@jdk17-corretto libcurl@7.79.1-4.amzn2.0.1

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

Upgrade Amazon-Linux:2 libcurl to version 0:8.3.0-1.amzn2.0.6 or higher.
This issue was patched in ALAS2-2024-2490.

ALAS2-2024-2490 vulnerability report

low severity

ALAS2-2024-2605

  • Vulnerable module: openssl11-libs
  • Introduced through: openssl11-libs@1:1.1.1g-12.amzn2.0.9
  • Fixed in: 1:1.1.1g-12.amzn2.0.22

Detailed paths

  • Introduced through: tomcat@jdk17-corretto openssl11-libs@1:1.1.1g-12.amzn2.0.9

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

Upgrade Amazon-Linux:2 openssl11-libs to version 1:1.1.1g-12.amzn2.0.22 or higher.
This issue was patched in ALAS2-2024-2605.

ALAS2-2024-2605 vulnerability report