Lucene search

K
amazonAmazonALAS-2016-716
HistoryJun 22, 2016 - 3:00 p.m.

Important: ImageMagick

2016-06-2215:00:00
alas.aws.amazon.com
17

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.723 High

EPSS

Percentile

98.0%

Issue Overview:

It was discovered that ImageMagick did not properly sanitize certain input before using it to invoke processes. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead to arbitrary execution of shell commands with the privileges of the user running the application. (CVE-2016-5118)

It was discovered that ImageMagick did not properly sanitize certain input before passing it to the gnuplot delegate functionality. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead to arbitrary execution of shell commands with the privileges of the user running the application. (CVE-2016-5239)

Multiple flaws have been discovered in ImageMagick. A remote attacker could, for example, create specially crafted images that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would result in a memory corruption and, potentially, execution of arbitrary code, a denial of service, or an application crash. (CVE-2015-8896, CVE-2015-8895, CVE-2016-5240, CVE-2015-8897, CVE-2015-8898)

Affected Packages:

ImageMagick

Issue Correction:
Run yum update ImageMagick to update your system.

New Packages:

i686:  
    ImageMagick-doc-6.7.8.9-15.21.amzn1.i686  
    ImageMagick-6.7.8.9-15.21.amzn1.i686  
    ImageMagick-debuginfo-6.7.8.9-15.21.amzn1.i686  
    ImageMagick-perl-6.7.8.9-15.21.amzn1.i686  
    ImageMagick-c++-devel-6.7.8.9-15.21.amzn1.i686  
    ImageMagick-c++-6.7.8.9-15.21.amzn1.i686  
    ImageMagick-devel-6.7.8.9-15.21.amzn1.i686  
  
src:  
    ImageMagick-6.7.8.9-15.21.amzn1.src  
  
x86_64:  
    ImageMagick-perl-6.7.8.9-15.21.amzn1.x86_64  
    ImageMagick-debuginfo-6.7.8.9-15.21.amzn1.x86_64  
    ImageMagick-c++-devel-6.7.8.9-15.21.amzn1.x86_64  
    ImageMagick-doc-6.7.8.9-15.21.amzn1.x86_64  
    ImageMagick-devel-6.7.8.9-15.21.amzn1.x86_64  
    ImageMagick-c++-6.7.8.9-15.21.amzn1.x86_64  
    ImageMagick-6.7.8.9-15.21.amzn1.x86_64  

Additional References

Red Hat: CVE-2015-8895, CVE-2015-8896, CVE-2015-8897, CVE-2015-8898, CVE-2016-5118, CVE-2016-5239, CVE-2016-5240

Mitre: CVE-2015-8895, CVE-2015-8896, CVE-2015-8897, CVE-2015-8898, CVE-2016-5118, CVE-2016-5239, CVE-2016-5240

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.723 High

EPSS

Percentile

98.0%