SB202502194569 - Amazon Linux AMI update for kernel

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2023-46813)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper access checking in the #VC handler and instruction emulation of the SEV-ES emulation of MMIO accesses. A local user can gain arbitrary write access to kernel memory and execute arbitrary code with elevated privileges.

2) NULL pointer dereference (CVE-ID: CVE-2023-46862)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within the io_uring_show_fdinfo() function in io_uring/fdinfo.c. A local user can trigger a race with SQ thread exit and perform a denial of service (DoS) attack.

3) Improper handling of exceptional conditions (CVE-ID: CVE-2023-5090)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper handling of errors within the svm_set_x2apic_msr_interception() function in KVM. A local user can send specially crafted input and perform a denial of service (DoS) attack.

4) Out-of-bounds write (CVE-ID: CVE-2023-5717)

The vulnerability local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in the Linux kernel's Linux Kernel Performance Events (perf) component. A local user can trigger an out-of-bounds write and execute arbitrary code with elevated privileges.

Remediation

Install update from vendor's website.

References

• https://alas.aws.amazon.com/AL2023/ALAS-2023-430.html