Amazon Linux AMI update for ecs-service-connect-agent
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 6 |
| CVE-ID | CVE-2023-27487 CVE-2023-27488 CVE-2023-27491 CVE-2023-27492 CVE-2023-27493 CVE-2023-27496 |
| CWE-ID | CWE-20 CWE-770 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Amazon Linux AMI Operating systems & Components / Operating system |
| Vendor | Amazon Web Services |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU74480
Risk: High
CVSSv4.0: 6.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-27487
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient validation of user-supplied input in the "header x-envoy-original-path". A remote attacker can gain access to sensitive information on the system.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
ecs-service-connect-agent-v1.25.4.0-1.amzn2023.aarch64
src:
ecs-service-connect-agent-v1.25.4.0-1.amzn2023.src
x86_64:
ecs-service-connect-agent-v1.25.4.0-1.amzn2023.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/AL2023/ALAS-2023-165.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU74474
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-27488
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to insufficient validation of user-supplied input when "failure_mode_allow: true" is configured for ext_authz filter. A remote attacker can pass specially crafted input to the application and gain elevated privileges on the target system.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
ecs-service-connect-agent-v1.25.4.0-1.amzn2023.aarch64
src:
ecs-service-connect-agent-v1.25.4.0-1.amzn2023.src
x86_64:
ecs-service-connect-agent-v1.25.4.0-1.amzn2023.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/AL2023/ALAS-2023-165.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU74477
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-27491
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient validation of user-supplied input within the HTTP/2 and HTTP/3 downstream headers. A remote attacker can bypass the security policies.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
ecs-service-connect-agent-v1.25.4.0-1.amzn2023.aarch64
src:
ecs-service-connect-agent-v1.25.4.0-1.amzn2023.src
x86_64:
ecs-service-connect-agent-v1.25.4.0-1.amzn2023.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/AL2023/ALAS-2023-165.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Allocation of Resources Without Limits or Throttling
EUVDB-ID: #VU74476
Risk: Medium
CVSSv4.0: 1.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-27492
CWE-ID:
CWE-770 - Allocation of Resources Without Limits or Throttling
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists when a large request body is processed in Lua filter. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
ecs-service-connect-agent-v1.25.4.0-1.amzn2023.aarch64
src:
ecs-service-connect-agent-v1.25.4.0-1.amzn2023.src
x86_64:
ecs-service-connect-agent-v1.25.4.0-1.amzn2023.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/AL2023/ALAS-2023-165.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU74475
Risk: High
CVSSv4.0: 6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-27493
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the affected application does not sanitize or escape request properties when generating request headers. A remote attacker can cause request smuggling and bypass of security policies.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
ecs-service-connect-agent-v1.25.4.0-1.amzn2023.aarch64
src:
ecs-service-connect-agent-v1.25.4.0-1.amzn2023.src
x86_64:
ecs-service-connect-agent-v1.25.4.0-1.amzn2023.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/AL2023/ALAS-2023-165.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Input validation error
EUVDB-ID: #VU74473
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-27496
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when a redirect url without a state param is received in the oauth filter. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
ecs-service-connect-agent-v1.25.4.0-1.amzn2023.aarch64
src:
ecs-service-connect-agent-v1.25.4.0-1.amzn2023.src
x86_64:
ecs-service-connect-agent-v1.25.4.0-1.amzn2023.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/AL2023/ALAS-2023-165.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
