[ALAS2-2023-2100] Amazon Linux 2 2017.12 - ALAS2-2023-2100: important priority package update for kernel

Severity Important

Affected Packages 26

CVEs 9

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities:
CVE-2023-34256:
An issue was discovered in the Linux kernel before 6.3.3. There is an out-of-bounds read in crc16 in lib/crc16.c when called from fs/ext4/super.c because ext4_group_desc_csum does not properly check an offset.

CVE-2023-3111:
A use after free vulnerability was found in prepare_to_relocate in fs/btrfs/relocation.c in btrfs in the Linux Kernel. This possible flaw can be triggered by calling btrfs_ioctl_balance() before calling btrfs_ioctl_defrag().

CVE-2023-3090:
A heap out-of-bounds write vulnerability in the Linux Kernel ipvlan network driver can be exploited to achieve local privilege escalation.

The out-of-bounds write is caused by missing skb->cb initialization in the ipvlan network driver. The vulnerability is reachable if CONFIG_IPVLAN is enabled.

We recommend upgrading past commit 90cbed5247439a966b645b34eb0a2e037836ea8e.

CVE-2023-28466:
do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition (with a resultant use-after-free or NULL pointer dereference).

CVE-2023-2269:
A denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-component.

CVE-2022-34918:
A heap buffer overflow flaw was found in the Linux kernel's Netfilter subsystem in the way a user provides incorrect input of the NFT_DATA_VERDICT type. This flaw allows a local user to crash or potentially escalate their privileges on the system.

CVE-2022-2586:
A use-after-free flaw was found in nf_tables cross-table in the net/netfilter/nf_tables_api.c function in the Linux kernel. This flaw allows a local, privileged attacker to cause a use-after-free problem at the time of table deletion, possibly leading to local privilege escalation.

Package	Affected Version
pkg:rpm/amazonlinux/python-perf?arch=x86_64&distro=amazonlinux-2	< 4.14.318-240.529.amzn2
pkg:rpm/amazonlinux/python-perf?arch=aarch64&distro=amazonlinux-2	< 4.14.318-240.529.amzn2
pkg:rpm/amazonlinux/python-perf-debuginfo?arch=x86_64&distro=amazonlinux-2	< 4.14.318-240.529.amzn2
pkg:rpm/amazonlinux/python-perf-debuginfo?arch=aarch64&distro=amazonlinux-2	< 4.14.318-240.529.amzn2
pkg:rpm/amazonlinux/perf?arch=x86_64&distro=amazonlinux-2	< 4.14.318-240.529.amzn2
pkg:rpm/amazonlinux/perf?arch=aarch64&distro=amazonlinux-2	< 4.14.318-240.529.amzn2
pkg:rpm/amazonlinux/perf-debuginfo?arch=x86_64&distro=amazonlinux-2	< 4.14.318-240.529.amzn2
pkg:rpm/amazonlinux/perf-debuginfo?arch=aarch64&distro=amazonlinux-2	< 4.14.318-240.529.amzn2
pkg:rpm/amazonlinux/kernel?arch=x86_64&distro=amazonlinux-2	< 4.14.318-240.529.amzn2
pkg:rpm/amazonlinux/kernel?arch=aarch64&distro=amazonlinux-2	< 4.14.318-240.529.amzn2
pkg:rpm/amazonlinux/kernel-tools?arch=x86_64&distro=amazonlinux-2	< 4.14.318-240.529.amzn2
pkg:rpm/amazonlinux/kernel-tools?arch=aarch64&distro=amazonlinux-2	< 4.14.318-240.529.amzn2
pkg:rpm/amazonlinux/kernel-tools-devel?arch=x86_64&distro=amazonlinux-2	< 4.14.318-240.529.amzn2
pkg:rpm/amazonlinux/kernel-tools-devel?arch=aarch64&distro=amazonlinux-2	< 4.14.318-240.529.amzn2
pkg:rpm/amazonlinux/kernel-tools-debuginfo?arch=x86_64&distro=amazonlinux-2	< 4.14.318-240.529.amzn2
pkg:rpm/amazonlinux/kernel-tools-debuginfo?arch=aarch64&distro=amazonlinux-2	< 4.14.318-240.529.amzn2
pkg:rpm/amazonlinux/kernel-livepatch-4.14.318-240.529?arch=x86_64&distro=amazonlinux-2	< 1.0-0.amzn2
pkg:rpm/amazonlinux/kernel-headers?arch=x86_64&distro=amazonlinux-2	< 4.14.318-240.529.amzn2
pkg:rpm/amazonlinux/kernel-headers?arch=i686&distro=amazonlinux-2	< 4.14.318-240.529.amzn2
pkg:rpm/amazonlinux/kernel-headers?arch=aarch64&distro=amazonlinux-2	< 4.14.318-240.529.amzn2
pkg:rpm/amazonlinux/kernel-devel?arch=x86_64&distro=amazonlinux-2	< 4.14.318-240.529.amzn2
pkg:rpm/amazonlinux/kernel-devel?arch=aarch64&distro=amazonlinux-2	< 4.14.318-240.529.amzn2
pkg:rpm/amazonlinux/kernel-debuginfo?arch=x86_64&distro=amazonlinux-2	< 4.14.318-240.529.amzn2
pkg:rpm/amazonlinux/kernel-debuginfo?arch=aarch64&distro=amazonlinux-2	< 4.14.318-240.529.amzn2
pkg:rpm/amazonlinux/kernel-debuginfo-common-x86_64?arch=x86_64&distro=amazonlinux-2	< 4.14.318-240.529.amzn2
pkg:rpm/amazonlinux/kernel-debuginfo-common-aarch64?arch=aarch64&distro=amazonlinux-2	< 4.14.318-240.529.amzn2

ID

ALAS2-2023-2100

Severity

important

URL

https://alas.aws.amazon.com/AL2/ALAS-2023-2100.html

Published

2023-06-21T19:11:00
(15 months ago)

Modified

2023-07-17T17:39:00
(14 months ago)

Rights

Amazon Linux Security Team

Other Advisories

Source	# ID	URL
CVE	CVE-2022-2586	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2586
CVE	CVE-2022-34918	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34918
CVE	CVE-2023-2269	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2269
CVE	CVE-2023-28466	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28466
CVE	CVE-2023-3090	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3090
CVE	CVE-2023-3111	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3111
CVE	CVE-2023-34256	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34256

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch
Affected	pkg:rpm/amazonlinux/python-perf?arch=x86_64&distro=amazonlinux-2	amazonlinux	python-perf	< 4.14.318-240.529.amzn2	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/python-perf?arch=aarch64&distro=amazonlinux-2	amazonlinux	python-perf	< 4.14.318-240.529.amzn2	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/python-perf-debuginfo?arch=x86_64&distro=amazonlinux-2	amazonlinux	python-perf-debuginfo	< 4.14.318-240.529.amzn2	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/python-perf-debuginfo?arch=aarch64&distro=amazonlinux-2	amazonlinux	python-perf-debuginfo	< 4.14.318-240.529.amzn2	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/perf?arch=x86_64&distro=amazonlinux-2	amazonlinux	perf	< 4.14.318-240.529.amzn2	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/perf?arch=aarch64&distro=amazonlinux-2	amazonlinux	perf	< 4.14.318-240.529.amzn2	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/perf-debuginfo?arch=x86_64&distro=amazonlinux-2	amazonlinux	perf-debuginfo	< 4.14.318-240.529.amzn2	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/perf-debuginfo?arch=aarch64&distro=amazonlinux-2	amazonlinux	perf-debuginfo	< 4.14.318-240.529.amzn2	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/kernel?arch=x86_64&distro=amazonlinux-2	amazonlinux	kernel	< 4.14.318-240.529.amzn2	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/kernel?arch=aarch64&distro=amazonlinux-2	amazonlinux	kernel	< 4.14.318-240.529.amzn2	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/kernel-tools?arch=x86_64&distro=amazonlinux-2	amazonlinux	kernel-tools	< 4.14.318-240.529.amzn2	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/kernel-tools?arch=aarch64&distro=amazonlinux-2	amazonlinux	kernel-tools	< 4.14.318-240.529.amzn2	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/kernel-tools-devel?arch=x86_64&distro=amazonlinux-2	amazonlinux	kernel-tools-devel	< 4.14.318-240.529.amzn2	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/kernel-tools-devel?arch=aarch64&distro=amazonlinux-2	amazonlinux	kernel-tools-devel	< 4.14.318-240.529.amzn2	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/kernel-tools-debuginfo?arch=x86_64&distro=amazonlinux-2	amazonlinux	kernel-tools-debuginfo	< 4.14.318-240.529.amzn2	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/kernel-tools-debuginfo?arch=aarch64&distro=amazonlinux-2	amazonlinux	kernel-tools-debuginfo	< 4.14.318-240.529.amzn2	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/kernel-livepatch-4.14.318-240.529?arch=x86_64&distro=amazonlinux-2	amazonlinux	kernel-livepatch-4.14.318-240.529	< 1.0-0.amzn2	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/kernel-headers?arch=x86_64&distro=amazonlinux-2	amazonlinux	kernel-headers	< 4.14.318-240.529.amzn2	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/kernel-headers?arch=i686&distro=amazonlinux-2	amazonlinux	kernel-headers	< 4.14.318-240.529.amzn2	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/kernel-headers?arch=aarch64&distro=amazonlinux-2	amazonlinux	kernel-headers	< 4.14.318-240.529.amzn2	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/kernel-devel?arch=x86_64&distro=amazonlinux-2	amazonlinux	kernel-devel	< 4.14.318-240.529.amzn2	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/kernel-devel?arch=aarch64&distro=amazonlinux-2	amazonlinux	kernel-devel	< 4.14.318-240.529.amzn2	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/kernel-debuginfo?arch=x86_64&distro=amazonlinux-2	amazonlinux	kernel-debuginfo	< 4.14.318-240.529.amzn2	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/kernel-debuginfo?arch=aarch64&distro=amazonlinux-2	amazonlinux	kernel-debuginfo	< 4.14.318-240.529.amzn2	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/kernel-debuginfo-common-x86_64?arch=x86_64&distro=amazonlinux-2	amazonlinux	kernel-debuginfo-common-x86_64	< 4.14.318-240.529.amzn2	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/kernel-debuginfo-common-aarch64?arch=aarch64&distro=amazonlinux-2	amazonlinux	kernel-debuginfo-common-aarch64	< 4.14.318-240.529.amzn2	amazonlinux-2	aarch64

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date