Amazon Linux 2023 Security Advisory: ALAS-2023-141
Advisory Release Date: 2023-03-20 18:27 Pacific
Advisory Updated Date: 2023-03-22 23:21 Pacific
Severity:
Important
Issue Overview:
multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR. (CVE-2022-41974)
Affected Packages:
device-mapper-multipath
Issue Correction:
Run dnf update --releasever=2023.0.20230322 device-mapper-multipath to update your system.
New Packages:
aarch64:
kpartx-debuginfo-0.8.7-16.amzn2023.0.2.aarch64
device-mapper-multipath-devel-0.8.7-16.amzn2023.0.2.aarch64
kpartx-0.8.7-16.amzn2023.0.2.aarch64
libdmmp-devel-0.8.7-16.amzn2023.0.2.aarch64
device-mapper-multipath-libs-debuginfo-0.8.7-16.amzn2023.0.2.aarch64
libdmmp-0.8.7-16.amzn2023.0.2.aarch64
libdmmp-debuginfo-0.8.7-16.amzn2023.0.2.aarch64
device-mapper-multipath-debuginfo-0.8.7-16.amzn2023.0.2.aarch64
device-mapper-multipath-0.8.7-16.amzn2023.0.2.aarch64
device-mapper-multipath-libs-0.8.7-16.amzn2023.0.2.aarch64
device-mapper-multipath-debugsource-0.8.7-16.amzn2023.0.2.aarch64
src:
device-mapper-multipath-0.8.7-16.amzn2023.0.2.src
x86_64:
kpartx-debuginfo-0.8.7-16.amzn2023.0.2.x86_64
device-mapper-multipath-debuginfo-0.8.7-16.amzn2023.0.2.x86_64
device-mapper-multipath-0.8.7-16.amzn2023.0.2.x86_64
device-mapper-multipath-libs-debuginfo-0.8.7-16.amzn2023.0.2.x86_64
libdmmp-debuginfo-0.8.7-16.amzn2023.0.2.x86_64
device-mapper-multipath-libs-0.8.7-16.amzn2023.0.2.x86_64
device-mapper-multipath-devel-0.8.7-16.amzn2023.0.2.x86_64
device-mapper-multipath-debugsource-0.8.7-16.amzn2023.0.2.x86_64
kpartx-0.8.7-16.amzn2023.0.2.x86_64
libdmmp-0.8.7-16.amzn2023.0.2.x86_64
libdmmp-devel-0.8.7-16.amzn2023.0.2.x86_64