ALASLIVEPATCH-2023-020

Amazon Linux 2023 Security Advisory: ALASLIVEPATCH-2023-020
Advisory Release Date: 2023-12-06 07:52 Pacific
Advisory Updated Date: 2023-12-14 21:41 Pacific

Severity: Important

References: CVE-2023-6111
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.

The function nft_trans_gc_catchall did not remove the catchall set element from the catchall_list when the argument sync is true, making it possible to free a catchall set element many times.

We recommend upgrading past commit 93995bf4af2c5a99e2a87f0cd5ce547d31eb7630. (CVE-2023-6111)

Affected Packages:

kernel-livepatch-6.1.61-85.141

Issue Correction:
Please ensure you have live patching enabled.
Run dnf update kernel-livepatch-6.1.61-85.141 to update your system.

New Packages:

aarch64:
    kernel-livepatch-6.1.61-85.141-1.0-1.amzn2023.aarch64

src:
    kernel-livepatch-6.1.61-85.141-1.0-1.amzn2023.src

x86_64:
    kernel-livepatch-6.1.61-85.141-1.0-1.amzn2023.x86_64

Additional References

Red Hat: CVE-2023-6111

Mitre: CVE-2023-6111

Select your cookie preferences

Customize cookie preferences

Essential

Performance

Functional

Advertising

ALASLIVEPATCH-2023-020

Additional References