Amazon Linux AMI Security Advisory: ALAS-2017-814
Advisory Release Date: 2017-04-06 21:16 Pacific
Advisory Updated Date: 2017-04-17 16:35 Pacific
Possible double free in stcp_sendmsg() (incorrect fix for CVE-2017-5986 ):
It was found that the code in net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. This vulnerability was introduced by CVE-2017-5986 fix (commit 2dcab5984841).
Reachable BUG_ON from userspace in sctp_wait_for_sndbuf:
It was reported that with Linux kernel, earlier than version v4.10-rc8, an application may trigger a BUG_ON in sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is waiting on it to queue more data, and meanwhile another thread peels off the association being used by the first thread. (CVE-2017-5986 )
Shmat allows mmap null page protection bypass:
The do_shmat function in ipc/shm.c in the Linux kernel, through 4.9.12, does not restrict the address calculated by a certain rounding operation. This allows privileged local users to map page zero and, consequently, bypass a protection mechanism that exists for the mmap system call. This is possible by making crafted shmget and shmat system calls in a privileged context. (CVE-2017-5669 )
Run yum update kernel to update your system.