Vulmon
Amazon Linux 2 Security Advisory: ALAS-2024-2483
Advisory Release Date: 2024-02-29 10:03 Pacific
Advisory Updated Date: 2024-03-04 12:00 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
EDK2's Network Package is susceptible to an out-of-bounds read
vulnerability when processing the IA_NA or IA_TA option in a DHCPv6 Advertise message. This
vulnerability can be exploited by an attacker to gain unauthorized
access and potentially lead to a loss of Confidentiality. (CVE-2023-45229)
EDK2's Network Package is susceptible to a buffer overflow vulnerability via a long server ID option in DHCPv6 client. This
vulnerability can be exploited by an attacker to gain unauthorized
access and potentially lead to a loss of Confidentiality, Integrity and/or Availability. (CVE-2023-45230)
EDK2's Network Package is susceptible to an out-of-bounds read
vulnerability when processing Neighbor Discovery Redirect message. This
vulnerability can be exploited by an attacker to gain unauthorized
access and potentially lead to a loss of Confidentiality. (CVE-2023-45231)
EDK2's Network Package is susceptible to an infinite loop vulnerability when parsing unknown options in the Destination Options header of IPv6. This
vulnerability can be exploited by an attacker to gain unauthorized
access and potentially lead to a loss of Availability. (CVE-2023-45232)
EDK2's Network Package is susceptible to an infinite lop vulnerability when parsing a PadN option in the Destination Options header of IPv6. This
vulnerability can be exploited by an attacker to gain unauthorized
access and potentially lead to a loss of Availability. (CVE-2023-45233)
EDK2's Network Package is susceptible to a buffer overflow vulnerability when processing DNS Servers option from a DHCPv6 Advertise message. This
vulnerability can be exploited by an attacker to gain unauthorized
access and potentially lead to a loss of Confidentiality, Integrity and/or Availability. (CVE-2023-45234)
EDK2's Network Package is susceptible to a buffer overflow vulnerability when
handling Server ID option
from a DHCPv6 proxy Advertise message. This
vulnerability can be exploited by an attacker to gain unauthorized
access and potentially lead to a loss of Confidentiality, Integrity and/or Availability. (CVE-2023-45235)
Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack
The package openssl098e is provided purely for binary compatibility with older Amazon Linux versions. It does not receive security updates. (CVE-2024-0727)
Affected Packages:
edk2
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update edk2 to update your system.
aarch64:
edk2-tools-20200801stable-1.amzn2.0.4.aarch64
edk2-debuginfo-20200801stable-1.amzn2.0.4.aarch64
noarch:
edk2-tools-python-20200801stable-1.amzn2.0.4.noarch
edk2-tools-doc-20200801stable-1.amzn2.0.4.noarch
edk2-ovmf-20200801stable-1.amzn2.0.4.noarch
edk2-aarch64-20200801stable-1.amzn2.0.4.noarch
src:
edk2-20200801stable-1.amzn2.0.4.src
x86_64:
edk2-tools-20200801stable-1.amzn2.0.4.x86_64
edk2-debuginfo-20200801stable-1.amzn2.0.4.x86_64