Amazon Linux AMI update for opensc

Published: 2024-08-06

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2021-42779
CWE-ID	CWE-416
Exploitation vector	Local
Public exploit	N/A
Vulnerable software	Amazon Linux AMI Operating systems & Components / Operating system opensc Operating systems & Components / Operating system package or component
Vendor	Amazon Web Services

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Use-after-free

EUVDB-ID: #VU66142

Risk: Low

CVSSv3.1: 1.8 [CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-42779

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows an attacker with physical access to perform a denial of service attack.

The vulnerability exists due to a use-after-free error in Opensc in sc_file_valid. An attacker with physical access can trigger use-after-free to perform a denial of service attack.

Mitigation

Update the affected packages:

aarch64:
    opensc-debugsource-0.22.0-4.amzn2023.0.3.aarch64
    opensc-debuginfo-0.22.0-4.amzn2023.0.3.aarch64
    opensc-0.22.0-4.amzn2023.0.3.aarch64

src:
    opensc-0.22.0-4.amzn2023.0.3.src

x86_64:
    opensc-debuginfo-0.22.0-4.amzn2023.0.3.x86_64
    opensc-0.22.0-4.amzn2023.0.3.x86_64
    opensc-debugsource-0.22.0-4.amzn2023.0.3.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

opensc: before 0.22.0-4

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:

External links

http://alas.aws.amazon.com/AL2023/ALAS-2024-534.html

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.