SB2019030509 - Amazon Linux AMI update for kernel
Published: March 5, 2019
Security Bulletin ID
SB2019030509
Severity
Medium
Patch available
YES
Number of vulnerabilities
3
Exploitation vector
Adjecent network
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Race condition (CVE-ID: CVE-2019-6974)
The vulnerability allows an adjacent attacker to gain elevated privileges or cause a denial of service (DoS) condition.The weakness exists due to exists due to a race condition that causes the kvm_ioctl_create_device function, as defined in the virt/kvm/kvm_main.c source code file of the affected software, to improperly handle reference counting. An adjacent attacker can access the system and execute an application that submits malicious input, trigger a use-after-free condition and cause a targeted guest virtual machine to crash, resulting in a DoS condition. In addition, a successful exploit could allow the attacker to gain elevated privileges on a targeted system.
2) Use-after-free (CVE-ID: CVE-2019-7221)
The vulnerability allows an adjacent attacker to cause DoS condition or execute arbitrary code.The weakness exists due to exists due to use-after-free error when using emulated vmx preemption timer. An adjacent attacker can cause the service to crash or execute arbitrary code with elevated privileges.
3) Memory leak (CVE-ID: CVE-2019-7222)
The vulnerability allows an adjacent attacker to obtain potentially sensitive information.The weakness exists due to exists due to memory leak in kvm_inject_page_fault. An adjacent attacker can gain access to important data and conduct further attacks.
Remediation
Install update from vendor's website.