ALAS-2024-615

Amazon Linux 2023 Security Advisory: ALAS-2024-615
Advisory Release Date: 2024-05-09 17:16 Pacific
Advisory Updated Date: 2024-05-15 19:36 Pacific
Severity: Medium
Issue Overview:

A vulnerability in the OLE2 file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

This vulnerability is due to an incorrect check for end-of-string values during scanning, which may result in a heap buffer over-read. An attacker could exploit this vulnerability by submitting a crafted file containing OLE2 content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software and consuming available system resources.

For a description of this vulnerability, see the ClamAV blog . (CVE-2024-20290)


Affected Packages:

clamav


Issue Correction:
Run dnf update clamav --releasever 2023.4.20240513 to update your system.

New Packages:
aarch64:
    clamd-debuginfo-0.103.11-1.amzn2023.0.1.aarch64
    clamav-update-debuginfo-0.103.11-1.amzn2023.0.1.aarch64
    clamav-lib-debuginfo-0.103.11-1.amzn2023.0.1.aarch64
    clamav-update-0.103.11-1.amzn2023.0.1.aarch64
    clamav-milter-0.103.11-1.amzn2023.0.1.aarch64
    clamav-devel-0.103.11-1.amzn2023.0.1.aarch64
    clamd-0.103.11-1.amzn2023.0.1.aarch64
    clamav-debugsource-0.103.11-1.amzn2023.0.1.aarch64
    clamav-milter-debuginfo-0.103.11-1.amzn2023.0.1.aarch64
    clamav-debuginfo-0.103.11-1.amzn2023.0.1.aarch64
    clamav-0.103.11-1.amzn2023.0.1.aarch64
    clamav-lib-0.103.11-1.amzn2023.0.1.aarch64

noarch:
    clamav-filesystem-0.103.11-1.amzn2023.0.1.noarch
    clamav-data-0.103.11-1.amzn2023.0.1.noarch
    clamav-doc-0.103.11-1.amzn2023.0.1.noarch

src:
    clamav-0.103.11-1.amzn2023.0.1.src

x86_64:
    clamav-update-debuginfo-0.103.11-1.amzn2023.0.1.x86_64
    clamav-devel-0.103.11-1.amzn2023.0.1.x86_64
    clamav-milter-0.103.11-1.amzn2023.0.1.x86_64
    clamav-lib-0.103.11-1.amzn2023.0.1.x86_64
    clamav-milter-debuginfo-0.103.11-1.amzn2023.0.1.x86_64
    clamav-update-0.103.11-1.amzn2023.0.1.x86_64
    clamav-0.103.11-1.amzn2023.0.1.x86_64
    clamd-0.103.11-1.amzn2023.0.1.x86_64
    clamd-debuginfo-0.103.11-1.amzn2023.0.1.x86_64
    clamav-lib-debuginfo-0.103.11-1.amzn2023.0.1.x86_64
    clamav-debuginfo-0.103.11-1.amzn2023.0.1.x86_64
    clamav-debugsource-0.103.11-1.amzn2023.0.1.x86_64

Additional References

Red Hat: CVE-2024-20290

Mitre: CVE-2024-20290