CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
91.6%
Issue Overview:
The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server. (CVE-2021-43565)
A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. This issue causes a client to fail authentification with RSA keys to servers that reject signature algorithms based on SHA-2, enabling an attacker to crash the server, resulting in a loss of availability. (CVE-2022-27191)
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)
http2/hpack: avoid quadratic complexity in hpack decoding (CVE-2022-41723)
Affected Packages:
amazon-ssm-agent
Issue Correction:
Run yum update amazon-ssm-agent to update your system.
New Packages:
src:
amazon-ssm-agent-3.2.1377.0-1.amzn1.src
x86_64:
amazon-ssm-agent-3.2.1377.0-1.amzn1.x86_64
amazon-ssm-agent-debuginfo-3.2.1377.0-1.amzn1.x86_64
Red Hat: CVE-2021-43565, CVE-2022-27191, CVE-2022-27664, CVE-2022-41723
Mitre: CVE-2021-43565, CVE-2022-27191, CVE-2022-27664, CVE-2022-41723
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 1 | x86_64 | amazon-ssm-agent | < 3.2.1377.0-1.amzn1 | amazon-ssm-agent-3.2.1377.0-1.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | amazon-ssm-agent-debuginfo | < 3.2.1377.0-1.amzn1 | amazon-ssm-agent-debuginfo-3.2.1377.0-1.amzn1.x86_64.rpm |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
91.6%