ALAS-2024-2484

Amazon Linux 2 Security Advisory: ALAS-2024-2484
Advisory Release Date: 2024-02-29 10:03 Pacific
Advisory Updated Date: 2024-03-04 12:00 Pacific

Severity: Important

References: CVE-2023-40547
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. (CVE-2023-40547)

Affected Packages:

shim

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update shim to update your system.

New Packages:

aarch64:
    shim-unsigned-aa64-12-1.amzn2.0.4.aarch64

noarch:
    shim-unsigned-x64-debuginfo-12-1.amzn2.0.4.noarch
    shim-unsigned-aa64-debuginfo-12-1.amzn2.0.4.noarch

src:
    shim-12-1.amzn2.0.4.src

x86_64:
    shim-unsigned-x64-12-1.amzn2.0.4.x86_64

Additional References

Red Hat: CVE-2023-40547

Mitre: CVE-2023-40547

Select your cookie preferences

Customize cookie preferences

Essential

Performance

Functional

Advertising

ALAS-2024-2484

Additional References