7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.3 High
AI Score
Confidence
High
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.971 High
EPSS
Percentile
99.8%
Issue Overview:
When sudo runs a command in shell mode, either via the -s or -i command line option, it escapes special characters in the command’s arguments with a backslash. The sudoers policy plugin will then remove the escape characters from the arguments before evaluating the sudoers policy (which doesn’t expect the escape characters) if the command is being run in shell mode. (CVE-2021-3156)
Affected Packages:
sudo
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update sudo to update your system.
New Packages:
aarch64:
sudo-1.8.23-4.amzn2.2.1.aarch64
sudo-devel-1.8.23-4.amzn2.2.1.aarch64
sudo-debuginfo-1.8.23-4.amzn2.2.1.aarch64
i686:
sudo-1.8.23-4.amzn2.2.1.i686
sudo-devel-1.8.23-4.amzn2.2.1.i686
sudo-debuginfo-1.8.23-4.amzn2.2.1.i686
src:
sudo-1.8.23-4.amzn2.2.1.src
x86_64:
sudo-1.8.23-4.amzn2.2.1.x86_64
sudo-devel-1.8.23-4.amzn2.2.1.x86_64
sudo-debuginfo-1.8.23-4.amzn2.2.1.x86_64
Red Hat: CVE-2021-3156
Mitre: CVE-2021-3156
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 2 | aarch64 | sudo | < 1.8.23-4.amzn2.2.1 | sudo-1.8.23-4.amzn2.2.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | sudo-devel | < 1.8.23-4.amzn2.2.1 | sudo-devel-1.8.23-4.amzn2.2.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | sudo-debuginfo | < 1.8.23-4.amzn2.2.1 | sudo-debuginfo-1.8.23-4.amzn2.2.1.aarch64.rpm |
Amazon Linux | 2 | i686 | sudo | < 1.8.23-4.amzn2.2.1 | sudo-1.8.23-4.amzn2.2.1.i686.rpm |
Amazon Linux | 2 | i686 | sudo-devel | < 1.8.23-4.amzn2.2.1 | sudo-devel-1.8.23-4.amzn2.2.1.i686.rpm |
Amazon Linux | 2 | i686 | sudo-debuginfo | < 1.8.23-4.amzn2.2.1 | sudo-debuginfo-1.8.23-4.amzn2.2.1.i686.rpm |
Amazon Linux | 2 | x86_64 | sudo | < 1.8.23-4.amzn2.2.1 | sudo-1.8.23-4.amzn2.2.1.x86_64.rpm |
Amazon Linux | 2 | x86_64 | sudo-devel | < 1.8.23-4.amzn2.2.1 | sudo-devel-1.8.23-4.amzn2.2.1.x86_64.rpm |
Amazon Linux | 2 | x86_64 | sudo-debuginfo | < 1.8.23-4.amzn2.2.1 | sudo-debuginfo-1.8.23-4.amzn2.2.1.x86_64.rpm |
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.3 High
AI Score
Confidence
High
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.971 High
EPSS
Percentile
99.8%