Lucene search

AmazonALAS2-2022-1870

HistoryOct 31, 2022 - 7:40 p.m.

Important: dbus

2022-10-3119:40:00

alas.aws.amazon.com

7.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

6.8 Medium

AI Score

Confidence

High

4.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:N/I:N/A:C

0.0005 Low

EPSS

Percentile

16.2%

JSON

Issue Overview:

A flaw was found in dbus. The implementation of DBUS_COOKIE_SHA1 is susceptible to a symbolic link attack. A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to read and write in unintended locations resulting in an authentication bypass. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2019-12749)

An uncontrolled resource consumption vulnerability was discovered in D-Bus. The DBusServer leaks file descriptors when a message exceeds the per-message file descriptor limit. This flaw allows a local attacker with access to the D-Bus system bus or another system service’s private AF_UNIX socket, to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients. As a result, the system may become unusable for other users, and some services may stop working. The highest threat from this vulnerability is to system availability. (CVE-2020-12049)

Affected Packages:

dbus

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update dbus to update your system.

New Packages:

aarch64:  
    dbus-1.10.24-7.amzn2.0.2.aarch64  
    dbus-libs-1.10.24-7.amzn2.0.2.aarch64  
    dbus-devel-1.10.24-7.amzn2.0.2.aarch64  
    dbus-tests-1.10.24-7.amzn2.0.2.aarch64  
    dbus-x11-1.10.24-7.amzn2.0.2.aarch64  
    dbus-debuginfo-1.10.24-7.amzn2.0.2.aarch64  
  
i686:  
    dbus-1.10.24-7.amzn2.0.2.i686  
    dbus-libs-1.10.24-7.amzn2.0.2.i686  
    dbus-devel-1.10.24-7.amzn2.0.2.i686  
    dbus-tests-1.10.24-7.amzn2.0.2.i686  
    dbus-x11-1.10.24-7.amzn2.0.2.i686  
    dbus-debuginfo-1.10.24-7.amzn2.0.2.i686  
  
noarch:  
    dbus-doc-1.10.24-7.amzn2.0.2.noarch  
  
src:  
    dbus-1.10.24-7.amzn2.0.2.src  
  
x86_64:  
    dbus-1.10.24-7.amzn2.0.2.x86_64  
    dbus-libs-1.10.24-7.amzn2.0.2.x86_64  
    dbus-devel-1.10.24-7.amzn2.0.2.x86_64  
    dbus-tests-1.10.24-7.amzn2.0.2.x86_64  
    dbus-x11-1.10.24-7.amzn2.0.2.x86_64  
    dbus-debuginfo-1.10.24-7.amzn2.0.2.x86_64

Additional References

Red Hat: CVE-2019-12749, CVE-2020-12049

Mitre: CVE-2019-12749, CVE-2020-12049

OSVersionArchitecturePackageVersionFilename
Amazon Linux2aarch64dbus< 1.10.24-7.amzn2.0.2dbus-1.10.24-7.amzn2.0.2.aarch64.rpm
Amazon Linux2aarch64dbus-libs< 1.10.24-7.amzn2.0.2dbus-libs-1.10.24-7.amzn2.0.2.aarch64.rpm
Amazon Linux2aarch64dbus-devel< 1.10.24-7.amzn2.0.2dbus-devel-1.10.24-7.amzn2.0.2.aarch64.rpm
Amazon Linux2aarch64dbus-tests< 1.10.24-7.amzn2.0.2dbus-tests-1.10.24-7.amzn2.0.2.aarch64.rpm
Amazon Linux2aarch64dbus-x11< 1.10.24-7.amzn2.0.2dbus-x11-1.10.24-7.amzn2.0.2.aarch64.rpm
Amazon Linux2aarch64dbus-debuginfo< 1.10.24-7.amzn2.0.2dbus-debuginfo-1.10.24-7.amzn2.0.2.aarch64.rpm
Amazon Linux2i686dbus< 1.10.24-7.amzn2.0.2dbus-1.10.24-7.amzn2.0.2.i686.rpm
Amazon Linux2i686dbus-libs< 1.10.24-7.amzn2.0.2dbus-libs-1.10.24-7.amzn2.0.2.i686.rpm
Amazon Linux2i686dbus-devel< 1.10.24-7.amzn2.0.2dbus-devel-1.10.24-7.amzn2.0.2.i686.rpm
Amazon Linux2i686dbus-tests< 1.10.24-7.amzn2.0.2dbus-tests-1.10.24-7.amzn2.0.2.i686.rpm

OS	Version	Architecture	Package	Version	Filename
Amazon Linux	2	aarch64	dbus	< 1.10.24-7.amzn2.0.2	dbus-1.10.24-7.amzn2.0.2.aarch64.rpm
Amazon Linux	2	aarch64	dbus-libs	< 1.10.24-7.amzn2.0.2	dbus-libs-1.10.24-7.amzn2.0.2.aarch64.rpm
Amazon Linux	2	aarch64	dbus-devel	< 1.10.24-7.amzn2.0.2	dbus-devel-1.10.24-7.amzn2.0.2.aarch64.rpm
Amazon Linux	2	aarch64	dbus-tests	< 1.10.24-7.amzn2.0.2	dbus-tests-1.10.24-7.amzn2.0.2.aarch64.rpm
Amazon Linux	2	aarch64	dbus-x11	< 1.10.24-7.amzn2.0.2	dbus-x11-1.10.24-7.amzn2.0.2.aarch64.rpm
Amazon Linux	2	aarch64	dbus-debuginfo	< 1.10.24-7.amzn2.0.2	dbus-debuginfo-1.10.24-7.amzn2.0.2.aarch64.rpm
Amazon Linux	2	i686	dbus	< 1.10.24-7.amzn2.0.2	dbus-1.10.24-7.amzn2.0.2.i686.rpm
Amazon Linux	2	i686	dbus-libs	< 1.10.24-7.amzn2.0.2	dbus-libs-1.10.24-7.amzn2.0.2.i686.rpm
Amazon Linux	2	i686	dbus-devel	< 1.10.24-7.amzn2.0.2	dbus-devel-1.10.24-7.amzn2.0.2.i686.rpm
Amazon Linux	2	i686	dbus-tests	< 1.10.24-7.amzn2.0.2	dbus-tests-1.10.24-7.amzn2.0.2.i686.rpm