Amazon Linux 2 Security Advisory: ALASNITRO-ENCLAVES-2021-002
Advisory Release Date: 2021-10-22 22:50 Pacific
Advisory Updated Date: 2021-11-18 21:37 Pacific
A flaw was found in Docker when it creates network bridges that accept IPv6 router advertisements by default. This flaw allows an attacker who can execute code in a container to possibly spoof rogue IPv6 router advertisements to perform a man-in-the-middle (MitM) attack against the host network or another container. (CVE-2020-13401)
A flaw was found in moby. Moby buildkit calls os.OpenFile with a potentially unsafe qemu-check temporary pathname, constructed with an empty first argument in an ioutil.TempDir call. (CVE-2020-27534)
Affected Packages:
docker
Note:
This advisory is applicable to Amazon Linux 2 - Nitro-enclaves Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update docker to update your system.
aarch64:
docker-19.03.13ce-1.amzn2.aarch64
docker-debuginfo-19.03.13ce-1.amzn2.aarch64
src:
docker-19.03.13ce-1.amzn2.src
x86_64:
docker-19.03.13ce-1.amzn2.x86_64
docker-debuginfo-19.03.13ce-1.amzn2.x86_64