Amazon Linux 2 Security Advisory: ALASLIVEPATCH-2021-042
Advisory Release Date: 2021-03-24 16:59 Pacific
Advisory Updated Date: 2021-04-07 18:55 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
A flaw was found in the way access to sessions and handles was handled in the iSCSI driver in the Linux kernel. A local user could use this flaw to leak iSCSI transport handle kernel address or end arbitrary iSCSI connections on the system. (CVE-2021-27363)
A flaw was found in the Linux kernel. An out-of-bounds read was discovered in the libiscsi module that could lead to reading kernel memory or a crash. The highest threat from this vulnerability is to data confidentiality as well as system availability. (CVE-2021-27364)
A flaw was found in the Linux kernel. A heap buffer overflow in the iSCSI subsystem is triggered by setting an iSCSI string attribute to a value larger than one page and then trying to read it. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-27365)
Affected Packages:
kernel-livepatch-4.14.214-160.339
Issue Correction:
Please ensure you have live patching enabled.
Run yum update kernel-livepatch-4.14.214-160.339 to update your system.
src:
kernel-livepatch-4.14.214-160.339-1.0-4.amzn2.src
x86_64:
kernel-livepatch-4.14.214-160.339-1.0-4.amzn2.x86_64
kernel-livepatch-4.14.214-160.339-debuginfo-1.0-4.amzn2.x86_64