Medium: docker

Issue Overview: A bug was found in Moby Docker Engine where attempting to copy files using docker cp into a specially-crafted container can result in Unix file permission changes for existing files in the host 2019s filesystem, widening access to others. This bug does not directly allow files to ...

Important: ca-certificates

Issue Overview: Update of ca-certificates to version 2021.2.50-72.amzn2.0.1 addresses the expiring IdentTrust DST Root CA X3, which affected some Let's Encrypt TLS certificates. The effect of the expiring certificate would be an inability of OpenSSL to validate impacted certificates issued by Let...

Important: ca-certificates

Issue Overview: Update of ca-certificates to version 2018.2.22-65.1.24.amzn1 addresses the expiring IdentTrust DST Root CA X3, which affected some Let's Encrypt TLS certificates. The effect of the expiring certificate would be an inability of OpenSSL to validate impacted certificates issued by...

Important: kernel-livepatch-4.14.238-182.422

Issue Overview: No CVE associated with this advisory Affected Packages: kernel-livepatch-4.14.238-182.422 Issue Correction: Please ensure you have live patching enabled. Run yum update kernel-livepatch-4.14.238-182.422 or yum update --advisory ALAS2LIVEPATCH-2021-064 to update your system. New...

Important: kernel-livepatch-4.14.243-185.433

Issue Overview: No CVE associated with this advisory Affected Packages: kernel-livepatch-4.14.243-185.433 Issue Correction: Please ensure you have live patching enabled. Run yum update kernel-livepatch-4.14.243-185.433 or yum update --advisory ALAS2LIVEPATCH-2021-062 to update your system. New...

Important: kernel-livepatch-4.14.238-182.421

Issue Overview: No CVE associated with this advisory Affected Packages: kernel-livepatch-4.14.238-182.421 Issue Correction: Please ensure you have live patching enabled. Run yum update kernel-livepatch-4.14.238-182.421 or yum update --advisory ALAS2LIVEPATCH-2021-061 to update your system. New...

Important: kernel-livepatch-4.14.241-184.433

Issue Overview: No CVE associated with this advisory Affected Packages: kernel-livepatch-4.14.241-184.433 Issue Correction: Please ensure you have live patching enabled. Run yum update kernel-livepatch-4.14.241-184.433 or yum update --advisory ALAS2LIVEPATCH-2021-063 to update your system. New...

Important: kernel-livepatch-4.14.232-177.418

Issue Overview: No CVE associated with this advisory Affected Packages: kernel-livepatch-4.14.232-177.418 Issue Correction: Please ensure you have live patching enabled. Run yum update kernel-livepatch-4.14.232-177.418 or yum update --advisory ALAS2LIVEPATCH-2021-060 to update your system. New...

Important: exiv2

Issue Overview: A flaw was found in exiv2. A flawed bounds checking in the jp2Image.cpp:doWriteMetadata function leads to a heap-based buffer overflow. This flaw allows an attacker who can provide a malicious image to an application using the exiv2 library, to write data out of bounds and...

Medium: php-pear

Issue Overview: In ArchiveTar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193. CVE-2021-32610 Affected Packages: php-pear Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section fo...

Important: thunderbird

Issue Overview: If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore the injected data. This could have resulted in Thunderbird showing incorrect...

Medium: linuxptp

Issue Overview: A flaw was found in the ptp4l program of the linuxptp package. When ptp4l is operating on a little-endian architecture as a PTP transparent clock, a remote attacker could send a crafted one-step sync message to cause an information leak or crash. The highest threat from this...

Medium: curl

Issue Overview: A flaw was found in curl in the way curl handles a file hash mismatch after downloading content using the Metalink feature. This flaw allows malicious actors controlling a hosting server to trick users into downloading malicious content. The highest threat from this vulnerability ...

Medium: glibc

Issue Overview: An integer overflow flaw was found in glibc that may result in reading of arbitrary memory when wordexp is used with a specially crafted untrusted regular expression input. CVE-2021-35942 Affected Packages: glibc Note: This advisory is applicable to Amazon Linux 2 AL2 Core...

Medium: gcc10-binutils

Issue Overview: An issue was discovered in the Binary File Descriptor BFD library aka libbfd, as distributed in GNU Binutils 2.35.1. A heap-based buffer over-read can occur in bfdgetlsigned32 in libbfd.c because shentsize is not validated in bfdelfslurpsecondaryrelocsection in elf.c. CVE-2020-354...

Medium: openldap

Issue Overview: A flaw was discovered in OpenLDAP before 2.4.57 leading to a double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. CVE-2020-36225 Affected Packages: openldap Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FA...

Medium: ntp

Issue Overview: The monlist feature in ntprequest.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service traffic amplification via forged 1 REQMONGETLIST or 2 REQMONGETLIST1 requests, as exploited in the wild in December 2013. CVE-2013-5211 Affected Packages: ntp...

Medium: kernel

Issue Overview: A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB virtual machine control block provided by the L1 guest to spawn/handle a nested guest L2. Due to improper validation of the "intctl" field, this issue could...

Important: libwebp

Issue Overview: A flaw was found in libwebp in versions before 1.0.1. A heap-based buffer overflow in function WebPDecodeRGBInto is possible due to an invalid check for buffer size. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...

Important: openvpn

Issue Overview: OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks. CVE-2020-15078 Affected Packages: openvpn...

Medium: tomcat8

Issue Overview: Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly...

Medium: php73

Issue Overview: Several flaws has been found in php. The pdofirebase module does not check the length of the server version string in a response packet causing a stack buffer overflow, does not verify the data and uses the wrong type to cast length leading to a crash, and does not validate the...

Important: glib2

Issue Overview: An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function gbytesnew has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption. CVE-2021-27219 Affected...

Important: java-1.8.0-openjdk

Issue Overview: Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Networking. Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Difficult to exploit vulnerabilit...

Medium: golang

Issue Overview: A flaw was found in Go, acting as an unintended proxy or intermediary, where ReverseProxy forwards connection headers if the first one was empty. This flaw allows an attacker to drop arbitrary headers. The highest threat from this vulnerability is to integrity. CVE-2021-33197 A fl...

Important: lasso

Issue Overview: An XML Signature Wrapping XSW vulnerability was found in Lasso. This flaw allows an attacker to modify a valid SAML response to include an unsigned SAML assertion, which may be used to impersonate another valid user recognized by the service using Lasso. The highest threat from th...

Important: postgresql-jdbc

Issue Overview: A flaw was found in PostgreSQL JDBC in versions prior to 42.2.13. An XML External Entity XXE weakness was found in PostgreSQL JDBC. The highest threat from this vulnerability is to data confidentiality and system availability. CVE-2020-13692 Affected Packages: postgresql-jdbc Issu...

Medium: curl

Issue Overview: A flaw was found in libcurl in the way libcurl handles previously used connections without accounting for 'issuer cert' and comparing the involved paths case-insensitively. This flaw allows libcurl to use the wrong connection. The highest threat from this vulnerability is to...

Low: tomcat7

Issue Overview: A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to...

Important: kernel

Issue Overview: A flaw was found in the Linux kernel's KVM implementation, where improper handing of the VMIO|VMPFNMAP VMAs in KVM bypasses RO checks and leads to pages being freed while still accessible by the VMM and guest. This flaw allows users who can start and control a VM to read/write...

Medium: curl

Issue Overview: A flaw was found in libcurl from versions 7.29.0 through 7.71.1. An application that performs multiple requests with libcurl's multi API, and sets the CURLOPTCONNECTONLY option, might experience libcurl using the wrong connection. The highest threat from this vulnerability is to...

Important: xstream

Issue Overview: A flaw was found in XStream. By manipulating the processed input stream, a remote attacker may be able to obtain sufficient rights to execute commands. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2021-2950...

Important: kernel

Issue Overview: A flaw was found in the Linux kernel, where a BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack. This issue occurs when the protection mechanism neglects the possibility of uninitialized memory locations on the BPF...

Medium: golang

Issue Overview: A vulnerability was found in archive/zip of the Go standard library. Applications written in Go can panic or potentially exhaust system memory when parsing malformed ZIP files. CVE-2021-33196 A flaw was found in golang. A panic can be triggered by an attacker in a privileged netwo...

Important: java-1.8.0-openjdk

Issue Overview: Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Libraries. Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1...

Important: linuxptp

Issue Overview: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to da...

Important: kernel-livepatch-4.14.231-173.360

Issue Overview: No CVE associated with this advisory Affected Packages: kernel-livepatch-4.14.231-173.360 Issue Correction: Please ensure you have live patching enabled. Run yum update kernel-livepatch-4.14.231-173.360 or yum update --advisory ALAS2LIVEPATCH-2021-058 to update your system. New...

Important: kernel-livepatch-4.14.231-173.361

Issue Overview: No CVE associated with this advisory Affected Packages: kernel-livepatch-4.14.231-173.361 Issue Correction: Please ensure you have live patching enabled. Run yum update kernel-livepatch-4.14.231-173.361 or yum update --advisory ALAS2LIVEPATCH-2021-057 to update your system. New...

Important: kernel-livepatch-4.14.232-176.381

Issue Overview: No CVE associated with this advisory Affected Packages: kernel-livepatch-4.14.232-176.381 Issue Correction: Please ensure you have live patching enabled. Run yum update kernel-livepatch-4.14.232-176.381 or yum update --advisory ALAS2LIVEPATCH-2021-054 to update your system. New...

Medium: containerd

Issue Overview: A bug was discovered in containerd where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host's filesystem. Changes to file permissions can deny access to the expected owner of the file or widen access...

Important: java-11-amazon-corretto

Issue Overview: Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Networking. Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Difficult to exploit vulnerabilit...

Important: kernel-livepatch-4.14.232-177.418

Issue Overview: No CVE associated with this advisory Affected Packages: kernel-livepatch-4.14.232-177.418 Issue Correction: Please ensure you have live patching enabled. Run yum update kernel-livepatch-4.14.232-177.418 or yum update --advisory ALAS2LIVEPATCH-2021-059 to update your system. New...

Important: kernel

Issue Overview: An out-of-bounds write flaw was found in the Linux kernel's seqfile in the Filesystem layer. This flaw allows a local attacker with a user privilege to gain access to out-of-bound memory, leading to a system crash or a leak of internal kernel information. The issue results from no...

Important: kernel-livepatch-4.14.232-176.381

Issue Overview: No CVE associated with this advisory Affected Packages: kernel-livepatch-4.14.232-176.381 Issue Correction: Please ensure you have live patching enabled. Run yum update kernel-livepatch-4.14.232-176.381 or yum update --advisory ALAS2LIVEPATCH-2021-056 to update your system. New...

Important: kernel-livepatch-4.14.238-182.421

Issue Overview: No CVE associated with this advisory Affected Packages: kernel-livepatch-4.14.238-182.421 Issue Correction: Please ensure you have live patching enabled. Run yum update kernel-livepatch-4.14.238-182.421 or yum update --advisory ALAS2LIVEPATCH-2021-055 to update your system. New...

Important: kernel

Issue Overview: An out-of-bounds write flaw was found in the Linux kernel's seqfile in the Filesystem layer. This flaw allows a local attacker with a user privilege to gain access to out-of-bound memory, leading to a system crash or a leak of internal kernel information. The issue results from no...

Low: openssl

Issue Overview: An integer overflow was found in the x6464 Montgomery squaring procedure used in exponentiation with 512-bit moduli. As per upstream: No EC algorithms are affected. Attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to...

Medium: rpm

Issue Overview: A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highes...

Important: libX11

Issue Overview: A missing validation flaw was found in libX11. This flaw allows an attacker to inject X11 protocol commands on X clients, and in some cases, also bypass, authenticate via injection of control characters, or potentially execute arbitrary code with permissions of the application...

Important: velocity

Issue Overview: A flaw was found in velocity. An attacker, able to modify Velocity templates, may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. The highest threat from this vulnerability is to data confidentiali...