ALAS2LIVEPATCH-2020-015

Amazon Linux 2 Security Advisory: ALASLIVEPATCH-2020-015
Advisory Release Date: 2020-05-29 20:13 Pacific
Advisory Updated Date: 2020-06-03 19:06 Pacific

Severity: Medium

References: CVE-2020-10942
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls. (CVE-2020-10942)

Affected Packages:

kernel-livepatch-4.14.165-133.209

Issue Correction:
Enable the livepatch extra: amazon-linux-extras enable livepatch
Run yum update kernel-livepatch-4.14.165-133.209 to update your system.

New Packages:

src:
    kernel-livepatch-4.14.165-133.209-1.0-5.amzn2.src

x86_64:
    kernel-livepatch-4.14.165-133.209-1.0-5.amzn2.x86_64
    kernel-livepatch-4.14.165-133.209-debuginfo-1.0-5.amzn2.x86_64

Additional References

Red Hat: CVE-2020-10942

Mitre: CVE-2020-10942