ALASKERNEL-5.4-2023-042

Amazon Linux 2 Security Advisory: ALASKERNEL-5.4-2023-042
Advisory Release Date: 2023-02-17 00:07 Pacific
Advisory Updated Date: 2024-02-01 20:10 Pacific
Severity: Important
Issue Overview:

2024-02-01: CVE-2023-1073 was added to this advisory.

2024-02-01: CVE-2023-0461 was added to this advisory.

A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service. (CVE-2022-4129)

In the Linux kernel before 6.1.6, a NULL pointer dereference bug in the traffic control subsystem allows an unprivileged user to trigger a denial of service (system crash) via a crafted traffic control configuration that is set up with "tc qdisc" and "tc class" commands. This affects qdisc_graft in net/sched/sch_api.c. (CVE-2022-47929)

The Linux kernel does not correctly mitigate SMT attacks, as discovered through a strange pattern in the kernel API using STIBP as a mitigation, leaving the process exposed for a short period of time after a syscall. The kernel also does not issue an IBPB immediately during the syscall. (CVE-2023-0045)

A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash. (CVE-2023-0394)

Detected a few exploitable gadgets that could leak secret memory through a side-channel such as MDS as well as insufficient hardening of the usercopy functions against spectre-v1. (CVE-2023-0459)

There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege.

There is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock.

When CONFIG_TLS is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable.

The setsockopt TCP_ULP operation does not require any privilege.

We recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c (CVE-2023-0461)

A memory corruption flaw was found in the Linux kernel's human interface device (HID) subsystem in how a user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2023-1073)

cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). (CVE-2023-23454)

atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). (CVE-2023-23455)


Affected Packages:

kernel


Note:

This advisory is applicable to Amazon Linux 2 - Kernel-5.4 Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update kernel to update your system.

New Packages:
aarch64:
    kernel-5.4.231-137.341.amzn2.aarch64
    kernel-headers-5.4.231-137.341.amzn2.aarch64
    kernel-debuginfo-common-aarch64-5.4.231-137.341.amzn2.aarch64
    perf-5.4.231-137.341.amzn2.aarch64
    perf-debuginfo-5.4.231-137.341.amzn2.aarch64
    python-perf-5.4.231-137.341.amzn2.aarch64
    python-perf-debuginfo-5.4.231-137.341.amzn2.aarch64
    kernel-tools-5.4.231-137.341.amzn2.aarch64
    kernel-tools-devel-5.4.231-137.341.amzn2.aarch64
    kernel-tools-debuginfo-5.4.231-137.341.amzn2.aarch64
    bpftool-5.4.231-137.341.amzn2.aarch64
    bpftool-debuginfo-5.4.231-137.341.amzn2.aarch64
    kernel-devel-5.4.231-137.341.amzn2.aarch64
    kernel-debuginfo-5.4.231-137.341.amzn2.aarch64

i686:
    kernel-headers-5.4.231-137.341.amzn2.i686

src:
    kernel-5.4.231-137.341.amzn2.src

x86_64:
    kernel-5.4.231-137.341.amzn2.x86_64
    kernel-headers-5.4.231-137.341.amzn2.x86_64
    kernel-debuginfo-common-x86_64-5.4.231-137.341.amzn2.x86_64
    perf-5.4.231-137.341.amzn2.x86_64
    perf-debuginfo-5.4.231-137.341.amzn2.x86_64
    python-perf-5.4.231-137.341.amzn2.x86_64
    python-perf-debuginfo-5.4.231-137.341.amzn2.x86_64
    kernel-tools-5.4.231-137.341.amzn2.x86_64
    kernel-tools-devel-5.4.231-137.341.amzn2.x86_64
    kernel-tools-debuginfo-5.4.231-137.341.amzn2.x86_64
    bpftool-5.4.231-137.341.amzn2.x86_64
    bpftool-debuginfo-5.4.231-137.341.amzn2.x86_64
    kernel-devel-5.4.231-137.341.amzn2.x86_64
    kernel-debuginfo-5.4.231-137.341.amzn2.x86_64

Additional References

Red Hat: CVE-2022-4129, CVE-2022-47929, CVE-2023-0045, CVE-2023-0394, CVE-2023-0459, CVE-2023-0461, CVE-2023-1073, CVE-2023-23454, CVE-2023-23455

Mitre: CVE-2022-4129, CVE-2022-47929, CVE-2023-0045, CVE-2023-0394, CVE-2023-0459, CVE-2023-0461, CVE-2023-1073, CVE-2023-23454, CVE-2023-23455