Amazon Linux 2 Security Advisory: ALASLIVEPATCH-2020-028
Advisory Release Date: 2020-12-02 19:27 Pacific
Advisory Updated Date: 2021-04-07 18:53 Pacific
A flaw was found in the Linux kernel. A local attacker, able to inject conntrack netlink configuration, could overflow a local buffer causing crashes or triggering the use of incorrect protocol numbers in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-25211)
In the Linux kernel through 5.8.7, local attackers able to inject conntrack netlink configuration could overflow a local buffer, causing crashes or triggering use of incorrect protocol numbers in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c, aka CID-1cc5ef91d2ff. (CVE-2020-25211)
A flaw was found in the capabilities check of the rados block device functionality in the Linux kernel. Incorrect capability checks could alllow a local user with root priviledges (but no capabilities) to add or remove Rados Block Devices from the system. (CVE-2020-25284)
Affected Packages:
kernel-livepatch-4.14.192-147.314
Issue Correction:
Please ensure you have live patching enabled.
Run yum update kernel-livepatch-4.14.192-147.314 to update your system.
src:
kernel-livepatch-4.14.192-147.314-1.0-4.amzn2.src
x86_64:
kernel-livepatch-4.14.192-147.314-1.0-4.amzn2.x86_64
kernel-livepatch-4.14.192-147.314-debuginfo-1.0-4.amzn2.x86_64