Amazon Linux 1 Security Advisory: ALAS-2022-1565
Advisory Release Date: 2022-02-10 22:00 Pacific
Advisory Updated Date: 2022-02-18 22:48 Pacific
A flaw was found in OpenSSH. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user. Depending on system configuration, inherited groups may allow AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to gain unintended privileges, potentially leading to local privilege escalation. (CVE-2021-41617)
Affected Packages:
openssh
Issue Correction:
Run yum update openssh to update your system.
i686:
openssh-ldap-7.4p1-22.77.amzn1.i686
openssh-debuginfo-7.4p1-22.77.amzn1.i686
openssh-7.4p1-22.77.amzn1.i686
openssh-keycat-7.4p1-22.77.amzn1.i686
openssh-clients-7.4p1-22.77.amzn1.i686
pam_ssh_agent_auth-0.10.3-2.22.77.amzn1.i686
openssh-cavs-7.4p1-22.77.amzn1.i686
openssh-server-7.4p1-22.77.amzn1.i686
src:
openssh-7.4p1-22.77.amzn1.src
x86_64:
openssh-keycat-7.4p1-22.77.amzn1.x86_64
openssh-debuginfo-7.4p1-22.77.amzn1.x86_64
pam_ssh_agent_auth-0.10.3-2.22.77.amzn1.x86_64
openssh-cavs-7.4p1-22.77.amzn1.x86_64
openssh-clients-7.4p1-22.77.amzn1.x86_64
openssh-server-7.4p1-22.77.amzn1.x86_64
openssh-ldap-7.4p1-22.77.amzn1.x86_64
openssh-7.4p1-22.77.amzn1.x86_64