Lucene search

K
amazonAmazonALAS2-2023-2303
HistoryOct 12, 2023 - 3:09 p.m.

Important: amazon-ssm-agent

2023-10-1215:09:00
alas.aws.amazon.com
24
amazon-ssm-agent
cve-2021-43565
cve-2022-41723
cve-2023-24538
ssh
code injection

EPSS

0.042

Percentile

92.4%

Issue Overview:

The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server. (CVE-2021-43565)

http2/hpack: avoid quadratic complexity in hpack decoding (CVE-2022-41723)

Templates did not properly consider backticks (`) as Javascript string delimiters, and as such did
not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template
contained a Go template action within a Javascript template literal, the contents of the action could
be used to terminate the literal, injecting arbitrary Javascript code into the Go template. (CVE-2023-24538)

Affected Packages:

amazon-ssm-agent

Issue Correction:
Run yum update amazon-ssm-agent to update your system.

New Packages:

aarch64:  
    amazon-ssm-agent-3.2.1705.0-1.amzn2.aarch64  
    amazon-ssm-agent-debuginfo-3.2.1705.0-1.amzn2.aarch64  
  
src:  
    amazon-ssm-agent-3.2.1705.0-1.amzn2.src  
  
x86_64:  
    amazon-ssm-agent-3.2.1705.0-1.amzn2.x86_64  
    amazon-ssm-agent-debuginfo-3.2.1705.0-1.amzn2.x86_64  

Additional References

Red Hat: CVE-2021-43565, CVE-2022-41723, CVE-2023-24538

Mitre: CVE-2021-43565, CVE-2022-41723, CVE-2023-24538