Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ALAS-2024-2475

Related Vulnerabilities: CVE-2023-52429   CVE-2023-6270   CVE-2024-23849  

dm_table_create in drivers/md/dm-table.c in the Linux kernel through 6.7.4 can attempt to (in alloc_targets) allocate more than INT_MAX bytes, and crash, because of a missing check for struct dm_ioctl.target_count. (CVE-2023-52429) A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution. (CVE-2023-6270) In rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel through 6.7.1, there is an off-by-one error for an RDS_MSG_RX_DGRAM_TRACE_MAX comparison, resulting in out-of-bounds access. (CVE-2024-23849)

Source

ALAS-2024-2475

Amazon Linux 2 Security Advisory: ALAS-2024-2475
Advisory Release Date: 2024-02-29 10:03 Pacific
Advisory Updated Date: 2024-03-04 12:00 Pacific
Severity: Important
Issue Overview:

dm_table_create in drivers/md/dm-table.c in the Linux kernel through 6.7.4 can attempt to (in alloc_targets) allocate more than INT_MAX bytes, and crash, because of a missing check for struct dm_ioctl.target_count. (CVE-2023-52429)

A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution. (CVE-2023-6270)

In rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel through 6.7.1, there is an off-by-one error for an RDS_MSG_RX_DGRAM_TRACE_MAX comparison, resulting in out-of-bounds access. (CVE-2024-23849)


Affected Packages:

kernel


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update kernel to update your system.

New Packages:
aarch64:
    kernel-4.14.336-257.562.amzn2.aarch64
    kernel-headers-4.14.336-257.562.amzn2.aarch64
    kernel-debuginfo-common-aarch64-4.14.336-257.562.amzn2.aarch64
    perf-4.14.336-257.562.amzn2.aarch64
    perf-debuginfo-4.14.336-257.562.amzn2.aarch64
    python-perf-4.14.336-257.562.amzn2.aarch64
    python-perf-debuginfo-4.14.336-257.562.amzn2.aarch64
    kernel-tools-4.14.336-257.562.amzn2.aarch64
    kernel-tools-devel-4.14.336-257.562.amzn2.aarch64
    kernel-tools-debuginfo-4.14.336-257.562.amzn2.aarch64
    kernel-devel-4.14.336-257.562.amzn2.aarch64
    kernel-debuginfo-4.14.336-257.562.amzn2.aarch64

i686:
    kernel-headers-4.14.336-257.562.amzn2.i686

src:
    kernel-4.14.336-257.562.amzn2.src

x86_64:
    kernel-4.14.336-257.562.amzn2.x86_64
    kernel-headers-4.14.336-257.562.amzn2.x86_64
    kernel-debuginfo-common-x86_64-4.14.336-257.562.amzn2.x86_64
    perf-4.14.336-257.562.amzn2.x86_64
    perf-debuginfo-4.14.336-257.562.amzn2.x86_64
    python-perf-4.14.336-257.562.amzn2.x86_64
    python-perf-debuginfo-4.14.336-257.562.amzn2.x86_64
    kernel-tools-4.14.336-257.562.amzn2.x86_64
    kernel-tools-devel-4.14.336-257.562.amzn2.x86_64
    kernel-tools-debuginfo-4.14.336-257.562.amzn2.x86_64
    kernel-devel-4.14.336-257.562.amzn2.x86_64
    kernel-debuginfo-4.14.336-257.562.amzn2.x86_64
    kernel-livepatch-4.14.336-257.562-1.0-0.amzn2.x86_64

Additional References

Red Hat: CVE-2023-52429, CVE-2023-6270, CVE-2024-23849

Mitre: CVE-2023-52429, CVE-2023-6270, CVE-2024-23849

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started