Lucene search

K
amazonAmazonALAS-2023-1825
HistoryAug 30, 2023 - 6:41 p.m.

Important: amazon-ssm-agent

2023-08-3018:41:00
alas.aws.amazon.com
28
amazon-ssm-agent
golang.org/x/crypto
ssh
net/http
update
vulnerabilities
denial of service
cryptographic algorithm
cve-2021-43565
cve-2022-27191
cve-2022-27664
cve-2022-41723

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

9.6

Confidence

High

EPSS

0.034

Percentile

91.6%

Issue Overview:

The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server. (CVE-2021-43565)

A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. This issue causes a client to fail authentification with RSA keys to servers that reject signature algorithms based on SHA-2, enabling an attacker to crash the server, resulting in a loss of availability. (CVE-2022-27191)

In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

http2/hpack: avoid quadratic complexity in hpack decoding (CVE-2022-41723)

Affected Packages:

amazon-ssm-agent

Issue Correction:
Run yum update amazon-ssm-agent to update your system.

New Packages:

src:  
    amazon-ssm-agent-3.2.1377.0-1.amzn1.src  
  
x86_64:  
    amazon-ssm-agent-3.2.1377.0-1.amzn1.x86_64  
    amazon-ssm-agent-debuginfo-3.2.1377.0-1.amzn1.x86_64  

Additional References

Red Hat: CVE-2021-43565, CVE-2022-27191, CVE-2022-27664, CVE-2022-41723

Mitre: CVE-2021-43565, CVE-2022-27191, CVE-2022-27664, CVE-2022-41723

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

9.6

Confidence

High

EPSS

0.034

Percentile

91.6%