Important: freerdp

Issue Overview: FreeRDP prior to version 2.0.0-rc4 contains an Out-Of-Bounds Write of up to 4 bytes in function nscrledecode that results in a memory corruption and possibly even a remote code execution.CVE-2018-8788 FreeRDP prior to version 2.0.0-rc4 contains an Integer Overflow that leads to a...

Amazon Linux 2 : spice (ALAS-2019-1184)

Spice, versions 0.5.2 through 0.14.0, are vulnerable to an out-of-bounds read due to an off-by-one error in memslotgetvirt. This may lead to a denial of service, or, in the worst case, code-execution by unauthenticated attackers.CVE-2019-3813 C Tenable Network Security, Inc. The descriptive text...

Amazon Linux 2 : java-1.8.0-openjdk / java-1.7.0-openjdk (ALAS-2019-1177)

Vulnerability in the Java SE component of Oracle Java SE subcomponent: Libraries. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker...

Amazon Linux 2 : flatpak (ALAS-2019-1183)

Earlier versions of flatpak exposes /proc in the applyextra script sandbox, which allows attackers to modify a host-side executable file.CVE-2019-8308 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux 2 Security Advisory...

Amazon Linux 2 : kernel (ALAS-2019-1179)

A kernel memory leak was found in the kernelreadfile function in the fs/exec.c file in the Linux kernel. An attacker could use this flaw to cause a memory leak and thus a denial of service DoS.CVE-2019-8980 A flaw was found in mmap in the Linux kernel allowing the process to map a null page. This...

Amazon Linux AMI : libwmf (ALAS-2019-1174)

The GD Graphics Library aka LibGD has a double free in the gdImagePtr functions in gdgifout.c, gdjpeg.c, and gdwbmp.c. NOTE: PHP is unaffected. CVE-2019-6978 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux AMI Security...

Amazon Linux AMI : perl (ALAS-2019-1180)

Perl has a buffer overflow via a crafted regular expression that triggers invalid write operations. CVE-2018-18311 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux AMI Security Advisory ALAS-2019-1180. include'compat.inc'; if...

Amazon Linux AMI : python27 / python34,python35,python36 (ALAS-2019-1169)

A NULL pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accep...

Amazon Linux AMI : squid (ALAS-2019-1176)

A memory leak was discovered in the way Squid handles SNMP denied queries. A remote attacker may use this flaw to exhaust the resources on the server machine. CVE-2018-19132 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux AM...

Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2019-1177)

Vulnerability in the Java SE component of Oracle Java SE subcomponent: Libraries. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker...

Amazon Linux AMI : nvidia (ALAS-2019-1182)

NVIDIA graphics driver contains a vulnerability that may allow access to application data processed on the GPU through a side channel exposed by the GPU performance counters. Local user access is required. This is not a network or remote attack vector. CVE-2018-6260 C Tenable Network Security, In...

Amazon Linux AMI : file (ALAS-2019-1186)

dobidnote in readelf.c in libmagic.a has a stack-based buffer over-read, related to fileprintf and filevprintf. CVE-2019-8904 docorenote in readelf.c in libmagic.a has a stack-based buffer over-read, related to fileprintable, a different vulnerability than CVE-2018-10360 . CVE-2019-8905 docorenot...

Amazon Linux AMI : openssl (ALAS-2019-1153)

The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. CVE-2018-0734 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were...

Amazon Linux AMI : kernel (ALAS-2019-1179)

A kernel memory leak was found in the kernelreadfile function in the fs/exec.c file in the Linux kernel. An attacker could use this flaw to cause a memory leak and thus a denial of service DoS. CVE-2019-8980 A flaw was found in mmap in the Linux kernel allowing the process to map a null page. Thi...

Important: flatpak

Issue Overview: Earlier versions of flatpak exposes /proc in the applyextra script sandbox, which allows attackers to modify a host-side executable file.CVE-2019-8308 Affected Packages: flatpak Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the...

Medium: java-1.8.0-openjdk, java-1.7.0-openjdk

Issue Overview: Vulnerability in the Java SE component of Oracle Java SE subcomponent: Libraries. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other...

Important: kernel

Issue Overview: A kernel memory leak was found in the kernelreadfile function in the fs/exec.c file in the Linux kernel. An attacker could use this flaw to cause a memory leak and thus a denial of service DoS.CVE-2019-8980 A flaw was found in mmap in the Linux kernel allowing the process to map a...

Important: filesystem

Issue Overview: Images built for the Amazon Linux 2.0.20190218 release included system files with incorrect permissions applied. Incorrect permissions were applied to files including: /etc/fstab /etc/localtime /etc/image-id /etc/sysconfig/i18n /etc/sysconfig/clock /etc/sysconfig/keyboard...

Amazon Linux AMI : golang (ALAS-2019-1172)

Go mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service CPU consumption or possibly conduct ECDH private key recovery attacks. CVE-2019-6486 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazo...

Amazon Linux AMI : kernel (ALAS-2019-1167)

In the Linux kernel afalgrelease in crypto/afalg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free UAF in sockfssetattr. A local attacker can use this flaw to escalate privileges and take control of the system. CVE-2019-8912 C Tenable Network Security,...