ALAS-2023-1987

Amazon Linux 2 Security Advisory: ALAS-2023-1987
Advisory Release Date: 2023-03-17 16:34 Pacific
Advisory Updated Date: 2024-01-19 01:51 Pacific

Severity: Important

References: CVE-2023-0458 CVE-2023-1281 CVE-2023-1829 CVE-2023-1998 CVE-2023-2162 CVE-2023-26545 CVE-2023-2985 CVE-2023-3161 CVE-2023-45862 CVE-2023-7192
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

2024-01-19: CVE-2023-7192 was added to this advisory.

2023-10-25: CVE-2023-45862 was added to this advisory.

Detected a few exploitable gadgets that could leak secret memory through a side-channel such as MDS as well as insufficient hardening of the usercopy functions against spectre-v1. (CVE-2023-0458)

Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root. This issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2. (CVE-2023-1281)

A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root.
We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28. (CVE-2023-1829)

When plain IBRS is enabled (not enhanced IBRS), the logic in spectre_v2_user_select_mitigation() determines that STIBP is not needed. The IBRS bit implicitly protects against cross-thread branch target
injection. However, with legacy IBRS, the IBRS bit is cleared on returning to userspace for performance reasons which leaves userspace threads vulnerable to cross-thread branch target injection against which STIBP protects. (CVE-2023-1998)

A use-after-free flaw was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in the SCSI sub-component in the Linux Kernel. This issue could allow an attacker to leak kernel internal information. (CVE-2023-2162)

In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device. (CVE-2023-26545)

A use-after-free flaw was found in hfsplus_put_super in fs/hfsplus/super.c in the Linux Kernel. This flaw could allow a local user to cause a denial of service. (CVE-2023-2985)

A flaw was found in the Framebuffer Console (fbcon) in the Linux Kernel. When providing a font->width and font->height greater than 32 to the fbcon_set_font, since there are no checks in place, a shift-out-of-bounds occurs, leading to undefined behavior and possible denial of service. (CVE-2023-3161)

An issue was discovered in drivers/usb/storage/ene_ub6250.c for the ENE UB6250 reader driver in the Linux kernel before 6.2.5. An object could potentially extend beyond the end of an allocation. (CVE-2023-45862)

kernel: refcount leak in ctnetlink_create_conntrack() (CVE-2023-7192)

Affected Packages:

kernel

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update kernel to update your system.

New Packages:

aarch64:
    kernel-4.14.309-231.529.amzn2.aarch64
    kernel-headers-4.14.309-231.529.amzn2.aarch64
    kernel-debuginfo-common-aarch64-4.14.309-231.529.amzn2.aarch64
    perf-4.14.309-231.529.amzn2.aarch64
    perf-debuginfo-4.14.309-231.529.amzn2.aarch64
    python-perf-4.14.309-231.529.amzn2.aarch64
    python-perf-debuginfo-4.14.309-231.529.amzn2.aarch64
    kernel-tools-4.14.309-231.529.amzn2.aarch64
    kernel-tools-devel-4.14.309-231.529.amzn2.aarch64
    kernel-tools-debuginfo-4.14.309-231.529.amzn2.aarch64
    kernel-devel-4.14.309-231.529.amzn2.aarch64
    kernel-debuginfo-4.14.309-231.529.amzn2.aarch64

i686:
    kernel-headers-4.14.309-231.529.amzn2.i686

src:
    kernel-4.14.309-231.529.amzn2.src

x86_64:
    kernel-4.14.309-231.529.amzn2.x86_64
    kernel-headers-4.14.309-231.529.amzn2.x86_64
    kernel-debuginfo-common-x86_64-4.14.309-231.529.amzn2.x86_64
    perf-4.14.309-231.529.amzn2.x86_64
    perf-debuginfo-4.14.309-231.529.amzn2.x86_64
    python-perf-4.14.309-231.529.amzn2.x86_64
    python-perf-debuginfo-4.14.309-231.529.amzn2.x86_64
    kernel-tools-4.14.309-231.529.amzn2.x86_64
    kernel-tools-devel-4.14.309-231.529.amzn2.x86_64
    kernel-tools-debuginfo-4.14.309-231.529.amzn2.x86_64
    kernel-devel-4.14.309-231.529.amzn2.x86_64
    kernel-debuginfo-4.14.309-231.529.amzn2.x86_64
    kernel-livepatch-4.14.309-231.529-1.0-0.amzn2.x86_64

Additional References

Red Hat: CVE-2023-0458, CVE-2023-1281, CVE-2023-1829, CVE-2023-1998, CVE-2023-2162, CVE-2023-26545, CVE-2023-2985, CVE-2023-3161, CVE-2023-45862, CVE-2023-7192

Mitre: CVE-2023-0458, CVE-2023-1281, CVE-2023-1829, CVE-2023-1998, CVE-2023-2162, CVE-2023-26545, CVE-2023-2985, CVE-2023-3161, CVE-2023-45862, CVE-2023-7192