ALAS2023-2023-038

Amazon Linux 2023 Security Advisory: ALAS-2023-038
Advisory Release Date: 2023-02-17 20:44 Pacific
Advisory Updated Date: 2023-02-22 23:50 Pacific
Severity: Medium
Issue Overview:

A NULL pointer exception flaw was found in Wireshark. A process failure on crafted or malformed input in the IPPUSB dissector can cause a denial of service via a packet injection or a crafted capture file. (CVE-2021-39920)

A NULL pointer exception flaw was found in Wireshark. A process failure on crafted or malformed input in the Modbus dissector can cause a denial of service via a packet injection or crafted capture file. (CVE-2021-39921)

A flaw was found in Wireshark. A process failure on crafted or malformed ANSI C12.22 input can cause a denial of service via packet injection or a crafted capture file. (CVE-2021-39922)

A flaw was found in Wireshark. A process failure consumes excessive CPU resources on crafted or malformed PNRP input and can cause a denial of service. (CVE-2021-39923)

A flaw was found in Wireshark. A process failure on crafted or malformed Bluetooth DHT input can cause a denial of service via packet injection or a crafted capture file. (CVE-2021-39924)

A flaw was found in Wireshark. A process failure on crafted or malformed Bluetooth SDP input can cause a denial of service via packet injection or a crafted capture file. (CVE-2021-39925)

A flaw was found in Wireshark. A process failure on crafted or malformed HCI_ISO input can cause a denial of service via packet injection or a crafted capture file. (CVE-2021-39926)

A flaw was found in Wireshark. A process failure on crafted or malformed IEEE 802.11 input can cause a denial of service via packet injection or a crafted capture file. (CVE-2021-39928)

A flaw was found in Wireshark. A process failure on crafted or malformed Bluetooth DHT input can cause a denial of service. (CVE-2021-39929)

A denial of service via packet injection flaw was found in wireshark. An attacker with local network access could pass specially crafted capture files causing an application to halt or crash, leading to a denial of service. (CVE-2021-4181)

A parser infinite-loop flaw was found in wireshark. An attacker with local network access could pass specially crafted capture files causing an application to halt, crash, or infinite loop. (CVE-2021-4182)

An infinite-loop flaw was found in Wireshark's DHT dissector module. This flaw allows an attacker with local network access to pass specially crafted capture files, causing an application to halt, crash or go into an infinite loop. (CVE-2021-4184)

An infinite-loop flaw was found in Wireshark RTMPT. This flaw allows an attacker with local network access to pass specially crafted capture files, causing an application to halt, crash, or go into an infinite loop. (CVE-2021-4185)

A segmentation issue was found in Wireshark. This flaw allows an attacker with local network access to pass specially crafted capture files, causing an application to halt or crash. (CVE-2021-4186)

An infinite-loop flaw was found in Wireshark. This flaw allows an attacker with local network access to pass specially crafted capture files, causing an application to halt, crash, or go into an infinite loop. (CVE-2021-4190)

Crash in the CMS protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file (CVE-2022-0581)

Unaligned access in the CSN.1 protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file (CVE-2022-0582)

Crash in the PVFS protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file (CVE-2022-0583)

Large loops in multiple protocol dissectors in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allow denial of service via packet injection or crafted capture file (CVE-2022-0585)

Infinite loop in RTMPT protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file (CVE-2022-0586)

Infinite loop in the F5 Ethernet Trailer protocol dissector in Wireshark 3.6.0 to 3.6.7 and 3.4.0 to 3.4.15 allows denial of service via packet injection or crafted capture file. (CVE-2022-3190)

Crash in the OPUS protocol dissector in Wireshark 3.6.0 to 3.6.8 allows denial of service via packet injection or crafted capture file (CVE-2022-3725)


Affected Packages:

wireshark


Issue Correction:
Run dnf update wireshark --releasever=2023.0.20230222 to update your system.

New Packages:
aarch64:
    wireshark-cli-debuginfo-4.0.2-1.amzn2023.0.2.aarch64
    wireshark-devel-4.0.2-1.amzn2023.0.2.aarch64
    wireshark-cli-4.0.2-1.amzn2023.0.2.aarch64
    wireshark-debugsource-4.0.2-1.amzn2023.0.2.aarch64

src:
    wireshark-4.0.2-1.amzn2023.0.2.src

x86_64:
    wireshark-cli-debuginfo-4.0.2-1.amzn2023.0.2.x86_64
    wireshark-cli-4.0.2-1.amzn2023.0.2.x86_64
    wireshark-devel-4.0.2-1.amzn2023.0.2.x86_64
    wireshark-debugsource-4.0.2-1.amzn2023.0.2.x86_64

Additional References

Red Hat: CVE-2021-39920, CVE-2021-39921, CVE-2021-39922, CVE-2021-39923, CVE-2021-39924, CVE-2021-39925, CVE-2021-39926, CVE-2021-39928, CVE-2021-39929, CVE-2021-4181, CVE-2021-4182, CVE-2021-4184, CVE-2021-4185, CVE-2021-4186, CVE-2021-4190, CVE-2022-0581, CVE-2022-0582, CVE-2022-0583, CVE-2022-0585, CVE-2022-0586, CVE-2022-3190, CVE-2022-3725

Mitre: CVE-2021-39920, CVE-2021-39921, CVE-2021-39922, CVE-2021-39923, CVE-2021-39924, CVE-2021-39925, CVE-2021-39926, CVE-2021-39928, CVE-2021-39929, CVE-2021-4181, CVE-2021-4182, CVE-2021-4184, CVE-2021-4185, CVE-2021-4186, CVE-2021-4190, CVE-2022-0581, CVE-2022-0582, CVE-2022-0583, CVE-2022-0585, CVE-2022-0586, CVE-2022-3190, CVE-2022-3725