ALAS2023-2023-120

Amazon Linux 2023 Security Advisory: ALAS-2023-120
Advisory Release Date: 2023-03-06 17:50 Pacific
Advisory Updated Date: 2023-03-08 00:51 Pacific
Severity: Important
Issue Overview:

Memory exhaustion in the Kafka protocol dissector in Wireshark 4.0.0 to 4.0.1 and 3.6.0 to 3.6.9 allows denial of service via packet injection or crafted capture file (CVE-2022-4344)

Infinite loops in the BPv6, OpenFlow, and Kafka protocol dissectors in Wireshark 4.0.0 to 4.0.1 and 3.6.0 to 3.6.9 allows denial of service via packet injection or crafted capture file (CVE-2022-4345)

Excessive loops in multiple dissectors in Wireshark 4.0.0 to 4.0.2 and ...

NOTE: https://www.wireshark.org/security/wnpa-sec-2023-06.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18711
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18720
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18737 (CVE-2023-0411)

TIPC dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file (CVE-2023-0412)

Dissection engine bug in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 ...

NOTE: https://www.wireshark.org/security/wnpa-sec-2023-03.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18766 (CVE-2023-0413)

Crash in the EAP dissector in Wireshark 4.0.0 to 4.0.2 allows denial of service via packet injection or crafted capture file (CVE-2023-0414)

iSCSI dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file (CVE-2023-0415)

GNW dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file (CVE-2023-0416)

Memory leak in the NFS dissector in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file (CVE-2023-0417)


Affected Packages:

wireshark


Issue Correction:
Run dnf update wireshark --releasever=2023.0.20230308 to update your system.

New Packages:
aarch64:
    wireshark-cli-debuginfo-4.0.3-1.amzn2023.0.1.aarch64
    wireshark-cli-4.0.3-1.amzn2023.0.1.aarch64
    wireshark-devel-4.0.3-1.amzn2023.0.1.aarch64
    wireshark-debugsource-4.0.3-1.amzn2023.0.1.aarch64

src:
    wireshark-4.0.3-1.amzn2023.0.1.src

x86_64:
    wireshark-cli-debuginfo-4.0.3-1.amzn2023.0.1.x86_64
    wireshark-cli-4.0.3-1.amzn2023.0.1.x86_64
    wireshark-devel-4.0.3-1.amzn2023.0.1.x86_64
    wireshark-debugsource-4.0.3-1.amzn2023.0.1.x86_64

Additional References

Red Hat: CVE-2022-4344, CVE-2022-4345, CVE-2023-0411, CVE-2023-0412, CVE-2023-0413, CVE-2023-0414, CVE-2023-0415, CVE-2023-0416, CVE-2023-0417

Mitre: CVE-2022-4344, CVE-2022-4345, CVE-2023-0411, CVE-2023-0412, CVE-2023-0413, CVE-2023-0414, CVE-2023-0415, CVE-2023-0416, CVE-2023-0417