ALAS-2022-1574

Amazon Linux 1 Security Advisory: ALAS-2022-1574
Advisory Release Date: 2022-03-10 00:54 Pacific
Advisory Updated Date: 2022-03-10 19:11 Pacific
Severity: Important
Issue Overview:

A flaw was found in the SQL plugin shipped with Cyrus SASL. Failure to properly escape the SQL input allows a remote attacker to execute arbitrary SQL commands. This issue can lead to the escalation of privileges. (CVE-2022-24407)


Affected Packages:

cyrus-sasl


Issue Correction:
Run yum update cyrus-sasl to update your system.

New Packages:
i686:
    cyrus-sasl-ldap-2.1.23-13.17.amzn1.i686
    cyrus-sasl-gssapi-2.1.23-13.17.amzn1.i686
    cyrus-sasl-md5-2.1.23-13.17.amzn1.i686
    cyrus-sasl-debuginfo-2.1.23-13.17.amzn1.i686
    cyrus-sasl-ntlm-2.1.23-13.17.amzn1.i686
    cyrus-sasl-2.1.23-13.17.amzn1.i686
    cyrus-sasl-plain-2.1.23-13.17.amzn1.i686
    cyrus-sasl-sql-2.1.23-13.17.amzn1.i686
    cyrus-sasl-devel-2.1.23-13.17.amzn1.i686
    cyrus-sasl-lib-2.1.23-13.17.amzn1.i686

src:
    cyrus-sasl-2.1.23-13.17.amzn1.src

x86_64:
    cyrus-sasl-plain-2.1.23-13.17.amzn1.x86_64
    cyrus-sasl-lib-2.1.23-13.17.amzn1.x86_64
    cyrus-sasl-gssapi-2.1.23-13.17.amzn1.x86_64
    cyrus-sasl-devel-2.1.23-13.17.amzn1.x86_64
    cyrus-sasl-debuginfo-2.1.23-13.17.amzn1.x86_64
    cyrus-sasl-sql-2.1.23-13.17.amzn1.x86_64
    cyrus-sasl-ntlm-2.1.23-13.17.amzn1.x86_64
    cyrus-sasl-md5-2.1.23-13.17.amzn1.x86_64
    cyrus-sasl-ldap-2.1.23-13.17.amzn1.x86_64
    cyrus-sasl-2.1.23-13.17.amzn1.x86_64

Additional References

Red Hat: CVE-2022-24407

Mitre: CVE-2022-24407