Lucene search

K
amazonAmazonALAS2-2020-1520
HistoryOct 22, 2020 - 6:07 p.m.

Important: kernel

2020-10-2218:07:00
alas.aws.amazon.com
29

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:P/I:P/A:C

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.3 High

AI Score

Confidence

High

0.008 Low

EPSS

Percentile

81.7%

Issue Overview:

A flaw was found in the Linux kernel. When changing screen size, an out-of-bounds memory write can occur leading to memory corruption or a denial of service. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. (CVE-2020-14390)

A flaw was found in the capabilities check of the rados block device functionality in the Linux kernel. Incorrect capability checks could alllow a local user with root priviledges (but no capabilities) to add or remove Rados Block Devices from the system. (CVE-2020-25284)

A flaw was found in the HDLC_PPP module of the Linux kernel. Memory corruption and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause the system to crash or cause a denial of service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-25643)

A flaw was found in the Linux kernel. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality. (CVE-2020-25645)

Affected Packages:

kernel

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update kernel to update your system.

New Packages:

aarch64:  
    kernel-4.14.200-155.322.amzn2.aarch64  
    kernel-headers-4.14.200-155.322.amzn2.aarch64  
    kernel-debuginfo-common-aarch64-4.14.200-155.322.amzn2.aarch64  
    perf-4.14.200-155.322.amzn2.aarch64  
    perf-debuginfo-4.14.200-155.322.amzn2.aarch64  
    python-perf-4.14.200-155.322.amzn2.aarch64  
    python-perf-debuginfo-4.14.200-155.322.amzn2.aarch64  
    kernel-tools-4.14.200-155.322.amzn2.aarch64  
    kernel-tools-devel-4.14.200-155.322.amzn2.aarch64  
    kernel-tools-debuginfo-4.14.200-155.322.amzn2.aarch64  
    kernel-devel-4.14.200-155.322.amzn2.aarch64  
    kernel-debuginfo-4.14.200-155.322.amzn2.aarch64  
  
i686:  
    kernel-headers-4.14.200-155.322.amzn2.i686  
  
src:  
    kernel-4.14.200-155.322.amzn2.src  
  
x86_64:  
    kernel-4.14.200-155.322.amzn2.x86_64  
    kernel-headers-4.14.200-155.322.amzn2.x86_64  
    kernel-debuginfo-common-x86_64-4.14.200-155.322.amzn2.x86_64  
    perf-4.14.200-155.322.amzn2.x86_64  
    perf-debuginfo-4.14.200-155.322.amzn2.x86_64  
    python-perf-4.14.200-155.322.amzn2.x86_64  
    python-perf-debuginfo-4.14.200-155.322.amzn2.x86_64  
    kernel-tools-4.14.200-155.322.amzn2.x86_64  
    kernel-tools-devel-4.14.200-155.322.amzn2.x86_64  
    kernel-tools-debuginfo-4.14.200-155.322.amzn2.x86_64  
    kernel-devel-4.14.200-155.322.amzn2.x86_64  
    kernel-debuginfo-4.14.200-155.322.amzn2.x86_64  
    kernel-livepatch-4.14.200-155.322-1.0-0.amzn2.x86_64  

Additional References

Red Hat: CVE-2020-14390, CVE-2020-25284, CVE-2020-25643, CVE-2020-25645

Mitre: CVE-2020-14390, CVE-2020-25284, CVE-2020-25643, CVE-2020-25645

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:P/I:P/A:C

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.3 High

AI Score

Confidence

High

0.008 Low

EPSS

Percentile

81.7%