Amazon Linux 2 Security Advisory: ALASNITRO-ENCLAVES-2021-003
Advisory Release Date: 2021-10-22 22:38 Pacific
Advisory Updated Date: 2021-11-18 21:37 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
Docker Engine before 18.09 allows attackers to cause a denial of service (dockerd memory consumption) via a large integer in a --cpuset-mems or --cpuset-cpus value, related to daemon/daemon_unix.go, pkg/parsers/parsers.go, and pkg/sysinfo/sysinfo.go. (CVE-2018-20699)
A command injection flaw was discovered in Docker during the `docker build` command. By providing a specially crafted path argument for the container to build, it is possible to inject command options to the `git fetch`/`git checkout` commands that are executed by Docker and to execute code with the privileges of the user running Docker. A local attacker who can run `docker build` with a controlled build path, or a remote attacker who has control over the docker build path, could elevate their privileges or execute code. (CVE-2019-13139)
In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret. (CVE-2019-13509)
Affected Packages:
docker
Note:
This advisory is applicable to Amazon Linux 2 - Nitro-enclaves Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update docker to update your system.
aarch64:
docker-18.09.9ce-2.amzn2.aarch64
docker-debuginfo-18.09.9ce-2.amzn2.aarch64
src:
docker-18.09.9ce-2.amzn2.src
x86_64:
docker-18.09.9ce-2.amzn2.x86_64
docker-debuginfo-18.09.9ce-2.amzn2.x86_64