ALAS-2024-2586

Amazon Linux 2 Security Advisory: ALAS-2024-2586
Advisory Release Date: 2024-07-03 20:05 Pacific
Advisory Updated Date: 2024-07-11 13:40 Pacific

Severity: Important

References: CVE-2023-4727
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A flaw was found in dogtag-pki and pki-core. The token authentication scheme can be bypassed with a LDAP injection. By passing the query string parameter sessionID=*, an attacker can authenticate with an existing session saved in the LDAP directory server, which may lead to escalation of privilege. (CVE-2023-4727)

Affected Packages:

pki-core

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update pki-core to update your system.

New Packages:

aarch64:
    pki-symkey-10.5.18-27.amzn2.0.2.aarch64
    pki-tools-10.5.18-27.amzn2.0.2.aarch64
    pki-core-debuginfo-10.5.18-27.amzn2.0.2.aarch64

i686:
    pki-symkey-10.5.18-27.amzn2.0.2.i686
    pki-tools-10.5.18-27.amzn2.0.2.i686
    pki-core-debuginfo-10.5.18-27.amzn2.0.2.i686

noarch:
    pki-base-10.5.18-27.amzn2.0.2.noarch
    pki-base-java-10.5.18-27.amzn2.0.2.noarch
    pki-server-10.5.18-27.amzn2.0.2.noarch
    pki-ca-10.5.18-27.amzn2.0.2.noarch
    pki-kra-10.5.18-27.amzn2.0.2.noarch
    pki-javadoc-10.5.18-27.amzn2.0.2.noarch

src:
    pki-core-10.5.18-27.amzn2.0.2.src

x86_64:
    pki-symkey-10.5.18-27.amzn2.0.2.x86_64
    pki-tools-10.5.18-27.amzn2.0.2.x86_64
    pki-core-debuginfo-10.5.18-27.amzn2.0.2.x86_64

Additional References

Red Hat: CVE-2023-4727

Mitre: CVE-2023-4727

Select your cookie preferences

Customize cookie preferences

Essential

Performance

Functional

Advertising

ALAS-2024-2586

Additional References