ALAS2-2022-1758

Amazon Linux 2 Security Advisory: ALAS-2022-1758
Advisory Release Date: 2022-03-07 23:29 Pacific
Advisory Updated Date: 2022-03-08 18:12 Pacific
Severity: Important
Issue Overview:

A flaw was found in the SQL plugin shipped with Cyrus SASL. Failure to properly escape the SQL input allows a remote attacker to execute arbitrary SQL commands. This issue can lead to the escalation of privileges. (CVE-2022-24407)


Affected Packages:

cyrus-sasl


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update cyrus-sasl to update your system.

New Packages:
aarch64:
    cyrus-sasl-2.1.26-24.amzn2.aarch64
    cyrus-sasl-lib-2.1.26-24.amzn2.aarch64
    cyrus-sasl-devel-2.1.26-24.amzn2.aarch64
    cyrus-sasl-gssapi-2.1.26-24.amzn2.aarch64
    cyrus-sasl-plain-2.1.26-24.amzn2.aarch64
    cyrus-sasl-md5-2.1.26-24.amzn2.aarch64
    cyrus-sasl-ntlm-2.1.26-24.amzn2.aarch64
    cyrus-sasl-sql-2.1.26-24.amzn2.aarch64
    cyrus-sasl-ldap-2.1.26-24.amzn2.aarch64
    cyrus-sasl-scram-2.1.26-24.amzn2.aarch64
    cyrus-sasl-gs2-2.1.26-24.amzn2.aarch64
    cyrus-sasl-debuginfo-2.1.26-24.amzn2.aarch64

i686:
    cyrus-sasl-2.1.26-24.amzn2.i686
    cyrus-sasl-lib-2.1.26-24.amzn2.i686
    cyrus-sasl-devel-2.1.26-24.amzn2.i686
    cyrus-sasl-gssapi-2.1.26-24.amzn2.i686
    cyrus-sasl-plain-2.1.26-24.amzn2.i686
    cyrus-sasl-md5-2.1.26-24.amzn2.i686
    cyrus-sasl-ntlm-2.1.26-24.amzn2.i686
    cyrus-sasl-sql-2.1.26-24.amzn2.i686
    cyrus-sasl-ldap-2.1.26-24.amzn2.i686
    cyrus-sasl-scram-2.1.26-24.amzn2.i686
    cyrus-sasl-gs2-2.1.26-24.amzn2.i686
    cyrus-sasl-debuginfo-2.1.26-24.amzn2.i686

src:
    cyrus-sasl-2.1.26-24.amzn2.src

x86_64:
    cyrus-sasl-2.1.26-24.amzn2.x86_64
    cyrus-sasl-lib-2.1.26-24.amzn2.x86_64
    cyrus-sasl-devel-2.1.26-24.amzn2.x86_64
    cyrus-sasl-gssapi-2.1.26-24.amzn2.x86_64
    cyrus-sasl-plain-2.1.26-24.amzn2.x86_64
    cyrus-sasl-md5-2.1.26-24.amzn2.x86_64
    cyrus-sasl-ntlm-2.1.26-24.amzn2.x86_64
    cyrus-sasl-sql-2.1.26-24.amzn2.x86_64
    cyrus-sasl-ldap-2.1.26-24.amzn2.x86_64
    cyrus-sasl-scram-2.1.26-24.amzn2.x86_64
    cyrus-sasl-gs2-2.1.26-24.amzn2.x86_64
    cyrus-sasl-debuginfo-2.1.26-24.amzn2.x86_64

Additional References

Red Hat: CVE-2022-24407

Mitre: CVE-2022-24407