SB20240806352 - Amazon Linux AMI update for kernel

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20240806352

SB20240806352 - Amazon Linux AMI update for kernel

Published: August 6, 2024

Security Bulletin ID SB20240806352
Severity
Low
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Local access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Improper Initialization (CVE-ID: CVE-2022-2196)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper initialization within nVMX in Linux kernel. A local user can perform speculative execution attacks and escalate privileges on the system.


2) NULL pointer dereference (CVE-ID: CVE-2023-0458)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the do_prlimit() function. A local user can pass specially crafted data to the system and perform a denial of service (DoS) attack.


3) Use-after-free (CVE-ID: CVE-2023-1281)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error in Linux kernel traffic control index filter (tcindex) when the tcf_exts_exec() function is called with the destroyed tcf_ext. A local user attacker can trigger a use-after-free error and execute arbitrary code with elevated privileges.



4) Double Free (CVE-ID: CVE-2023-26545)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a double free in net/mpls/af_mpls.c during the renaming of a device. A local user can trigger a double free error and execute arbitrary code with elevated privileges.


5) NULL pointer dereference (CVE-ID: CVE-2023-52646)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the aio_ring_mremap() function in fs/aio.c. A local user can perform a denial of service (DoS) attack.


6) Use-after-free (CVE-ID: CVE-2023-52707)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the psi_trigger_destroy() function in kernel/sched/psi.c. A local user can escalate privileges on the system.


Remediation

Install update from vendor's website.

References