Amazon Linux 2 : aws-cfn-bootstrap, --advisory ALAS2-2025-3104 (ALAS-2025-3104)

🗓️ 05 Jan 2026 00:00:00Reported by TenableType

aws-cfn-bootstrap timing leak risks private keys; Requests leaks credentials; CMS decrypt may DoS.

Reporter	Title	Published	Views	Family All 1139
FreeBSD	OpenSSL -- multiple vulnerabilities	30 Sep 202500:00	–	freebsd
FreeBSD	LibreSSL -- overwrite and -read vulnerability	1 Oct 202500:00	–	freebsd
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM watsonx Orchestrate Developer Edition	17 Dec 202509:51	–	ibm
IBM Security Bulletins	Security Bulletin: AIX/VIOS is affected by multiple vulnerabilities due to Python	19 Nov 202515:04	–	ibm
IBM Security Bulletins	Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in python3-pip-wheel python3.11-pip python3.11-pip-wheel requests	29 Oct 202510:51	–	ibm
IBM Security Bulletins	Security Bulletin: Muliple security vulnerabilities found in IBM CICS TX Standard.	22 Apr 202614:23	–	ibm
IBM Security Bulletins	Security Bulletin:Requests SSL Verification Issue Fixed in 2.32.0	4 May 202612:45	–	ibm
IBM Security Bulletins	Security Bulletin: Security vulnerabilities affect multiple packages shipped with IBM CICS TX Advanced.	28 Apr 202510:33	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Requets affect IBM® Db2® Big SQL on IBM Cloud Pak for Data.	23 Jan 202613:27	–	ibm
IBM Security Bulletins	Security Bulletin: Astronomer with IBM is vulnerable to leaked credentials due to the requests package (CVE-2024-47081).	20 Nov 202514:25	–	ibm

Source	Link
alas	www.alas.aws.amazon.com//AL2/ALAS2-2025-3104.html
alas	www.alas.aws.amazon.com/faqs.html
explore	www.explore.alas.aws.amazon.com/CVE-2024-13176.html
explore	www.explore.alas.aws.amazon.com/CVE-2024-47081.html
explore	www.explore.alas.aws.amazon.com/CVE-2025-9230.html
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2 Security Advisory ALAS-2025-3104.
##

include('compat.inc');

if (description)
{
  script_id(281817);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/05");

  script_cve_id("CVE-2024-13176", "CVE-2024-47081", "CVE-2025-9230");

  script_name(english:"Amazon Linux 2 : aws-cfn-bootstrap, --advisory ALAS2-2025-3104 (ALAS-2025-3104)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2 host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The version of aws-cfn-bootstrap installed on the remote host is prior to 2.0-38. It is, therefore, affected by multiple
vulnerabilities as referenced in the ALAS2-2025-3104 advisory.

    Issue summary: A timing side-channel which could potentially allow recoveringthe private key exists in the
    ECDSA signature computation.

    Impact summary: A timing side-channel in ECDSA signature computationscould allow recovering the private
    key by an attacker. However, measuringthe timing would require either local access to the signing
    application ora very fast network connection with low latency.

    There is a timing signal of around 300 nanoseconds when the top word ofthe inverted ECDSA nonce value is
    zero. This can happen with significantprobability only for some of the supported elliptic curves. In
    particularthe NIST P-521 curve is affected. To be able to measure this leak, the attackerprocess must
    either be located in the same physical computer or musthave a very fast network connection with low
    latency. For that reasonthe severity of this vulnerability is Low. (CVE-2024-13176)

    Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc
    credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4
    to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with
    `trust_env=False` on one's Requests Session. (CVE-2024-47081)

    Issue summary: An application trying to decrypt CMS messages encrypted usingpassword based encryption can
    trigger an out-of-bounds read and write.

    Impact summary: This out-of-bounds read may trigger a crash which leads toDenial of Service for an
    application. The out-of-bounds write can causea memory corruption which can have various consequences
    includinga Denial of Service or Execution of attacker-supplied code.

    Although the consequences of a successful exploit of this vulnerabilitycould be severe, the probability
    that the attacker would be able toperform it is low. Besides, password based (PWRI) encryption support in
    CMSmessages is very rarely used. For that reason the issue was assessed asModerate severity according to
    our Security Policy.

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by thisissue, as the CMS
    implementation is outside the OpenSSL FIPS moduleboundary. (CVE-2025-9230)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com//AL2/ALAS2-2025-3104.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/faqs.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2024-13176.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2024-47081.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2025-9230.html");
  script_set_attribute(attribute:"solution", value:
"Run 'yum update aws-cfn-bootstrap' or
  or 'yum update --advisory ALAS2-2025-3104' to update your system.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-9230");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2024-47081");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/04/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/01/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:aws-cfn-bootstrap");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Amazon Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var alas_release = get_kb_item("Host/AmazonLinux/release");
if (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d+|-\d+)", string:alas_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "2")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var pkgs = [
    {'reference':'aws-cfn-bootstrap-2.0-38.amzn2', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  var cves = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "aws-cfn-bootstrap");
}

05 Jan 2026 00:00Current

7.5High risk

Vulners AI Score7.5

CVSS 3.17.5

EPSS0.00208

SSVC