ALAS2023-2023-285

Amazon Linux 2023 Security Advisory: ALAS-2023-285
Advisory Release Date: 2023-08-03 20:26 Pacific
Advisory Updated Date: 2023-08-31 21:41 Pacific
Severity: Medium
Issue Overview:

An issue was discovered in the Linux kernel before 6.2. The ntfs3 subsystem does not properly check for correctness during disk reads, leading to an out-of-bounds read in ntfs_set_ea in fs/ntfs3/xattr.c. (CVE-2022-48502)

A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled?address, potentially leading to information disclosure. (CVE-2023-20569)

An issue in "Zen 2" CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information. (CVE-2023-20593)


Affected Packages:

kernel


Issue Correction:
Run dnf update kernel --releasever 2023.1.20230809 to update your system.

New Packages:
aarch64:
    kernel-tools-devel-6.1.41-63.114.amzn2023.aarch64
    python3-perf-6.1.41-63.114.amzn2023.aarch64
    python3-perf-debuginfo-6.1.41-63.114.amzn2023.aarch64
    kernel-tools-6.1.41-63.114.amzn2023.aarch64
    kernel-libbpf-devel-6.1.41-63.114.amzn2023.aarch64
    bpftool-debuginfo-6.1.41-63.114.amzn2023.aarch64
    perf-6.1.41-63.114.amzn2023.aarch64
    kernel-tools-debuginfo-6.1.41-63.114.amzn2023.aarch64
    kernel-livepatch-6.1.41-63.114-1.0-0.amzn2023.aarch64
    bpftool-6.1.41-63.114.amzn2023.aarch64
    kernel-libbpf-static-6.1.41-63.114.amzn2023.aarch64
    kernel-libbpf-6.1.41-63.114.amzn2023.aarch64
    perf-debuginfo-6.1.41-63.114.amzn2023.aarch64
    kernel-headers-6.1.41-63.114.amzn2023.aarch64
    kernel-debuginfo-6.1.41-63.114.amzn2023.aarch64
    kernel-6.1.41-63.114.amzn2023.aarch64
    kernel-debuginfo-common-aarch64-6.1.41-63.114.amzn2023.aarch64
    kernel-devel-6.1.41-63.114.amzn2023.aarch64

src:
    kernel-6.1.41-63.114.amzn2023.src

x86_64:
    kernel-libbpf-6.1.41-63.114.amzn2023.x86_64
    kernel-tools-debuginfo-6.1.41-63.114.amzn2023.x86_64
    kernel-debuginfo-6.1.41-63.114.amzn2023.x86_64
    python3-perf-debuginfo-6.1.41-63.114.amzn2023.x86_64
    perf-6.1.41-63.114.amzn2023.x86_64
    bpftool-6.1.41-63.114.amzn2023.x86_64
    bpftool-debuginfo-6.1.41-63.114.amzn2023.x86_64
    python3-perf-6.1.41-63.114.amzn2023.x86_64
    kernel-libbpf-static-6.1.41-63.114.amzn2023.x86_64
    kernel-libbpf-devel-6.1.41-63.114.amzn2023.x86_64
    kernel-tools-6.1.41-63.114.amzn2023.x86_64
    perf-debuginfo-6.1.41-63.114.amzn2023.x86_64
    kernel-livepatch-6.1.41-63.114-1.0-0.amzn2023.x86_64
    kernel-tools-devel-6.1.41-63.114.amzn2023.x86_64
    kernel-headers-6.1.41-63.114.amzn2023.x86_64
    kernel-6.1.41-63.114.amzn2023.x86_64
    kernel-debuginfo-common-x86_64-6.1.41-63.114.amzn2023.x86_64
    kernel-devel-6.1.41-63.114.amzn2023.x86_64

Changelog:

2023-08-31: CVE-2023-3611 was removed from this advisory.

2023-08-31: CVE-2023-3776 was removed from this advisory.

2023-08-31: The severity of this advisory was changed from important to medium.

2023-08-31: CVE-2023-20569 was added to this advisory.

Additional References

Release Notes:  Amazon Linux 2023 Release Notes

Red Hat: CVE-2022-48502, CVE-2023-20569, CVE-2023-20593

Mitre: CVE-2022-48502, CVE-2023-20569, CVE-2023-20593