Vulmon
Amazon Linux 2 Security Advisory: ALASKERNEL-5.4-2022-018
Advisory Release Date: 2022-01-20 19:50 Pacific
Advisory Updated Date: 2022-01-28 17:22 Pacific
A flaw was found in the Linux kernel. A use-after-free memory flaw was found in the perf subsystem allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-14351)
A flaw was found in the Linux kernel. A use-after-free was found in the way the console subsystem was using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of bounds. The highest threat from this vulnerability is to data confidentiality. (CVE-2020-25656)
A use-after-free flaw was found in the Linux kernel's TTY driver functionality in the way the user triggers the con_font_op function. This flaw allows a local user to crash or escalate their privileges on the system or expose sensitive information (kernel memory). (CVE-2020-25668)
A memory leak flaw was found in the Linux kernel's performance monitoring subsystem when using PERF_EVENT_IOC_SET_FILTER. This flaw allows a local user to starve the resources, causing a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25704)
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271. (CVE-2020-27673)
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. drivers/xen/events/events_base.c allows event-channel removal during the event-handling loop (a race condition). This can cause a use-after-free or NULL pointer dereference, as demonstrated by a dom0 crash via events for an in-reconfiguration paravirtualized device, aka CID-073d0552ead5. (CVE-2020-27675)
An out-of-bounds (OOB) SLAB memory access flaw was found in the Linux kernel's fbcon driver module. A bounds check failure allows a local attacker with special user privileges to gain access to out-of-bounds memory, leading to a system crash or leaking of internal kernel information. The highest threat from this vulnerability is to system availability. (CVE-2020-28974)
Affected Packages:
kernel
Issue Correction:
Run yum update kernel to update your system.
aarch64:
kernel-5.4.80-40.140.amzn2.aarch64
kernel-headers-5.4.80-40.140.amzn2.aarch64
kernel-debuginfo-common-aarch64-5.4.80-40.140.amzn2.aarch64
perf-5.4.80-40.140.amzn2.aarch64
perf-debuginfo-5.4.80-40.140.amzn2.aarch64
python-perf-5.4.80-40.140.amzn2.aarch64
python-perf-debuginfo-5.4.80-40.140.amzn2.aarch64
kernel-tools-5.4.80-40.140.amzn2.aarch64
kernel-tools-devel-5.4.80-40.140.amzn2.aarch64
kernel-tools-debuginfo-5.4.80-40.140.amzn2.aarch64
kernel-devel-5.4.80-40.140.amzn2.aarch64
kernel-debuginfo-5.4.80-40.140.amzn2.aarch64
i686:
kernel-headers-5.4.80-40.140.amzn2.i686
src:
kernel-5.4.80-40.140.amzn2.src
x86_64:
kernel-5.4.80-40.140.amzn2.x86_64
kernel-headers-5.4.80-40.140.amzn2.x86_64
kernel-debuginfo-common-x86_64-5.4.80-40.140.amzn2.x86_64
perf-5.4.80-40.140.amzn2.x86_64
perf-debuginfo-5.4.80-40.140.amzn2.x86_64
python-perf-5.4.80-40.140.amzn2.x86_64
python-perf-debuginfo-5.4.80-40.140.amzn2.x86_64
kernel-tools-5.4.80-40.140.amzn2.x86_64
kernel-tools-devel-5.4.80-40.140.amzn2.x86_64
kernel-tools-debuginfo-5.4.80-40.140.amzn2.x86_64
kernel-devel-5.4.80-40.140.amzn2.x86_64
kernel-debuginfo-5.4.80-40.140.amzn2.x86_64