Lucene search

AmazonALAS2-2019-1218

HistoryMay 29, 2019 - 7:08 p.m.

Important: freeradius

2019-05-2919:08:00

alas.aws.amazon.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.016 Low

EPSS

Percentile

87.3%

JSON

Issue Overview:

FreeRADIUS mishandles the “each participant verifies that the received scalar is within a range, and that the received group element is a valid point on the curve being used” protection mechanism, aka a “Dragonblood” issue, a similar issue to CVE-2019-9498 and CVE-2019-9499.(CVE-2019-11235)

FreeRADIUS before 3.0.19 does not prevent use of reflection for authentication spoofing, aka a “Dragonblood” issue, a similar issue to CVE-2019-9497.(CVE-2019-11234)

Affected Packages:

freeradius

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update freeradius to update your system.

New Packages:

aarch64:  
    freeradius-3.0.13-10.amzn2.aarch64  
    freeradius-doc-3.0.13-10.amzn2.aarch64  
    freeradius-utils-3.0.13-10.amzn2.aarch64  
    freeradius-devel-3.0.13-10.amzn2.aarch64  
    freeradius-ldap-3.0.13-10.amzn2.aarch64  
    freeradius-krb5-3.0.13-10.amzn2.aarch64  
    freeradius-perl-3.0.13-10.amzn2.aarch64  
    freeradius-python-3.0.13-10.amzn2.aarch64  
    freeradius-mysql-3.0.13-10.amzn2.aarch64  
    freeradius-postgresql-3.0.13-10.amzn2.aarch64  
    freeradius-sqlite-3.0.13-10.amzn2.aarch64  
    freeradius-unixODBC-3.0.13-10.amzn2.aarch64  
    freeradius-debuginfo-3.0.13-10.amzn2.aarch64  
  
i686:  
    freeradius-3.0.13-10.amzn2.i686  
    freeradius-doc-3.0.13-10.amzn2.i686  
    freeradius-utils-3.0.13-10.amzn2.i686  
    freeradius-devel-3.0.13-10.amzn2.i686  
    freeradius-ldap-3.0.13-10.amzn2.i686  
    freeradius-krb5-3.0.13-10.amzn2.i686  
    freeradius-perl-3.0.13-10.amzn2.i686  
    freeradius-python-3.0.13-10.amzn2.i686  
    freeradius-mysql-3.0.13-10.amzn2.i686  
    freeradius-postgresql-3.0.13-10.amzn2.i686  
    freeradius-sqlite-3.0.13-10.amzn2.i686  
    freeradius-unixODBC-3.0.13-10.amzn2.i686  
    freeradius-debuginfo-3.0.13-10.amzn2.i686  
  
src:  
    freeradius-3.0.13-10.amzn2.src  
  
x86_64:  
    freeradius-3.0.13-10.amzn2.x86_64  
    freeradius-doc-3.0.13-10.amzn2.x86_64  
    freeradius-utils-3.0.13-10.amzn2.x86_64  
    freeradius-devel-3.0.13-10.amzn2.x86_64  
    freeradius-ldap-3.0.13-10.amzn2.x86_64  
    freeradius-krb5-3.0.13-10.amzn2.x86_64  
    freeradius-perl-3.0.13-10.amzn2.x86_64  
    freeradius-python-3.0.13-10.amzn2.x86_64  
    freeradius-mysql-3.0.13-10.amzn2.x86_64  
    freeradius-postgresql-3.0.13-10.amzn2.x86_64  
    freeradius-sqlite-3.0.13-10.amzn2.x86_64  
    freeradius-unixODBC-3.0.13-10.amzn2.x86_64  
    freeradius-debuginfo-3.0.13-10.amzn2.x86_64

Additional References

Red Hat: CVE-2019-11234, CVE-2019-11235

Mitre: CVE-2019-11234, CVE-2019-11235

OSVersionArchitecturePackageVersionFilename
Amazon Linux2aarch64freeradius< 3.0.13-10.amzn2freeradius-3.0.13-10.amzn2.aarch64.rpm
Amazon Linux2aarch64freeradius-doc< 3.0.13-10.amzn2freeradius-doc-3.0.13-10.amzn2.aarch64.rpm
Amazon Linux2aarch64freeradius-utils< 3.0.13-10.amzn2freeradius-utils-3.0.13-10.amzn2.aarch64.rpm
Amazon Linux2aarch64freeradius-devel< 3.0.13-10.amzn2freeradius-devel-3.0.13-10.amzn2.aarch64.rpm
Amazon Linux2aarch64freeradius-ldap< 3.0.13-10.amzn2freeradius-ldap-3.0.13-10.amzn2.aarch64.rpm
Amazon Linux2aarch64freeradius-krb5< 3.0.13-10.amzn2freeradius-krb5-3.0.13-10.amzn2.aarch64.rpm
Amazon Linux2aarch64freeradius-perl< 3.0.13-10.amzn2freeradius-perl-3.0.13-10.amzn2.aarch64.rpm
Amazon Linux2aarch64freeradius-python< 3.0.13-10.amzn2freeradius-python-3.0.13-10.amzn2.aarch64.rpm
Amazon Linux2aarch64freeradius-mysql< 3.0.13-10.amzn2freeradius-mysql-3.0.13-10.amzn2.aarch64.rpm
Amazon Linux2aarch64freeradius-postgresql< 3.0.13-10.amzn2freeradius-postgresql-3.0.13-10.amzn2.aarch64.rpm

OS	Version	Architecture	Package	Version	Filename
Amazon Linux	2	aarch64	freeradius	< 3.0.13-10.amzn2	freeradius-3.0.13-10.amzn2.aarch64.rpm
Amazon Linux	2	aarch64	freeradius-doc	< 3.0.13-10.amzn2	freeradius-doc-3.0.13-10.amzn2.aarch64.rpm
Amazon Linux	2	aarch64	freeradius-utils	< 3.0.13-10.amzn2	freeradius-utils-3.0.13-10.amzn2.aarch64.rpm
Amazon Linux	2	aarch64	freeradius-devel	< 3.0.13-10.amzn2	freeradius-devel-3.0.13-10.amzn2.aarch64.rpm
Amazon Linux	2	aarch64	freeradius-ldap	< 3.0.13-10.amzn2	freeradius-ldap-3.0.13-10.amzn2.aarch64.rpm
Amazon Linux	2	aarch64	freeradius-krb5	< 3.0.13-10.amzn2	freeradius-krb5-3.0.13-10.amzn2.aarch64.rpm
Amazon Linux	2	aarch64	freeradius-perl	< 3.0.13-10.amzn2	freeradius-perl-3.0.13-10.amzn2.aarch64.rpm
Amazon Linux	2	aarch64	freeradius-python	< 3.0.13-10.amzn2	freeradius-python-3.0.13-10.amzn2.aarch64.rpm
Amazon Linux	2	aarch64	freeradius-mysql	< 3.0.13-10.amzn2	freeradius-mysql-3.0.13-10.amzn2.aarch64.rpm
Amazon Linux	2	aarch64	freeradius-postgresql	< 3.0.13-10.amzn2	freeradius-postgresql-3.0.13-10.amzn2.aarch64.rpm