Lucene search

K
amazonAmazonALAS-2023-2374
HistoryNov 29, 2023 - 10:20 p.m.

Medium: libarchive

2023-11-2922:20:00
alas.aws.amazon.com
16
improper link resolution
arbitrary file changes
libarchive
privilege escalation
amazon linux 2
update
cve-2021-31566

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8

Confidence

High

EPSS

0.001

Percentile

25.2%

Issue Overview:

An improper link resolution flaw can occur while extracting an archive leading to changing modes, times, access control lists, and flags of a file outside of the archive. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to gain more privileges in a system. (CVE-2021-31566)

Affected Packages:

libarchive

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update libarchive to update your system.

New Packages:

aarch64:  
    libarchive-3.1.2-14.amzn2.0.3.aarch64  
    libarchive-devel-3.1.2-14.amzn2.0.3.aarch64  
    bsdtar-3.1.2-14.amzn2.0.3.aarch64  
    bsdcpio-3.1.2-14.amzn2.0.3.aarch64  
    libarchive-debuginfo-3.1.2-14.amzn2.0.3.aarch64  
  
i686:  
    libarchive-3.1.2-14.amzn2.0.3.i686  
    libarchive-devel-3.1.2-14.amzn2.0.3.i686  
    bsdtar-3.1.2-14.amzn2.0.3.i686  
    bsdcpio-3.1.2-14.amzn2.0.3.i686  
    libarchive-debuginfo-3.1.2-14.amzn2.0.3.i686  
  
src:  
    libarchive-3.1.2-14.amzn2.0.3.src  
  
x86_64:  
    libarchive-3.1.2-14.amzn2.0.3.x86_64  
    libarchive-devel-3.1.2-14.amzn2.0.3.x86_64  
    bsdtar-3.1.2-14.amzn2.0.3.x86_64  
    bsdcpio-3.1.2-14.amzn2.0.3.x86_64  
    libarchive-debuginfo-3.1.2-14.amzn2.0.3.x86_64  

Additional References

Red Hat: CVE-2021-31566

Mitre: CVE-2021-31566

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8

Confidence

High

EPSS

0.001

Percentile

25.2%