ALAS-2021-1499

Amazon Linux 1 Security Advisory: ALAS-2021-1499
Advisory Release Date: 2021-05-14 16:52 Pacific
Advisory Updated Date: 2021-05-19 17:34 Pacific

Severity: Important

References: CVE-2021-30465
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

The runc package is vulnerable to a symlink exchange attack whereby an attacker can request a seemingly innocuous container configuration that results in the host filesystem being bind-mounted into the container. The highest threat from this vulnerability is to data confidentiality and integrity as well as to system availability. (CVE-2021-30465)

Affected Packages:

runc

Issue Correction:
Run yum update runc to update your system.

New Packages:

src:
    runc-1.0.0-0.3.20210225.git12644e6.4.amzn1.src

x86_64:
    runc-1.0.0-0.3.20210225.git12644e6.4.amzn1.x86_64
    runc-debuginfo-1.0.0-0.3.20210225.git12644e6.4.amzn1.x86_64

Additional References

Red Hat: CVE-2021-30465

Mitre: CVE-2021-30465