Vulmon
Amazon Linux AMI Security Advisory: ALAS-2019-1309
Advisory Release Date: 2019-10-12 15:49 Pacific
Advisory Updated Date: 2019-10-14 17:12 Pacific
Severity:
Important
References:
CVE-2019-14287
Issue Overview:
When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.
This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification. (CVE-2019-14287)
Further details can be found here: https://www.sudo.ws/alerts/minus_1_uid.html
Affected Packages:
sudo
Issue Correction:
Run yum update sudo to update your system.
New Packages:
i686:
sudo-debuginfo-1.8.6p3-29.28.amzn1.i686
sudo-devel-1.8.6p3-29.28.amzn1.i686
sudo-1.8.6p3-29.28.amzn1.i686
src:
sudo-1.8.6p3-29.28.amzn1.src
x86_64:
sudo-devel-1.8.6p3-29.28.amzn1.x86_64
sudo-debuginfo-1.8.6p3-29.28.amzn1.x86_64
sudo-1.8.6p3-29.28.amzn1.x86_64