General FAQs
What do the severity ratings mean?
The severity ratings represent the seriousness of a security issue for Amazon Linux. It takes into account the potential risk to instances and default configurations or other existing mitigations.
Severity Rating | Description |
---|---|
Critical | Security issues that are exploitable remotely by unauthenticated user and provide the unauthorized users privileged access on the affected operating system. A requirement for user interaction, a local user or physical access makes it unlikely that an issue would be classified as Critical. |
Important | Security issues that can easily compromise the confidentiality, integrity or availability of resources. These are security issues that allow local users to gain additional privileges, allow unauthorized remote access to execute arbitrary code to gain access to resources that authentication or other controls should otherwise protect or allow remote unauthenticated users to disrupt the normal operation of the system. |
Medium | Security issues that can lead to some compromise of the confidentiality, integrity, or availability of resources but are more difficult to exploit. These security issues are mitigated by factors such as authentication and default configurations. |
Low | Security issues that don't match the description of higher ratings but still have security impacts. Often issues that require unlikely circumstances to be exploited, such as getting administrative privileges. |
Why does Amazon Linux's score and severity rating for a CVE differ from the other sources of CVE information?
Amazon Linux evaluates each CVE for their applicability and impact on our products. Our CVSS scores may differ from NVD and other vendors because of the characteristics of our software, such as versions, infrastructure platforms, default configurations, or build environments. Other vendors target environments with unique characteristics (other Linux distributions) or provide generic evaluations that cannot consider the execution environment.
What is the meaning of the CVE status?
CVE Status take into account the latest information available when the page was updated. They are reviewed whenever we get new information about a CVE.
CVE Status | Description |
---|---|
Not Affected | Amazon Linux has not shipped the package affected by the security issue on this platform. It could also mean that the issue was already fixed by the time the platform was first released or that the vulnerable code path is disabled at build time. |
Pending Fix | The latest version of this package vended on this platform contains the security issue described by the CVE. Amazon Linux is working on a fix that will be published in an upcoming repository push. |
No Fix Planned | Amazon Linux does not plan to release a fix at this time. The description will include an explanation or recommended mitigation. |
Fixed | A fix was provided and is available in the RPM repositories. |
How does Amazon Linux prioritize CVE fixes?
Amazon Linux prioritizes fixes for security issues based on their severity first. The impact of the fix on users, testing requirements and complexity of the fix can also be considered when establishing the release schedule.
When does Amazon Linux publish security advisories?
A security advisory is posted on the Amazon Linux Security Center website immediately after we have made a fix available for installation through the RPM repository.
Why do some Amazon Linux 2 Security Advisories reference package versions that aren’t available in my repository?
Amazon Linux issues Security Advisories for packages in the Amazon Linux 2 (AL2) Core and Extras repositories.
Each advisory will denote what repository it applies to. Advisories for the AL2 Core repository do not have a
package prefix, eg. ALAS2-YYYY-NNN. Advisories for AL2 Extras have a package-specific prefix indicating which
repository they are associated with. For example, ALASFIREFOX-YYYY-NNN is an advisory for the Firefox extra repository.
Since some AL2 Extras include packages with the same name as packages in the Core repository, it is important
to look at the correct advisory for what repositories an instance has packages installed from.
Please visit the Amazon Linux 2 Extras page to learn more.