QID 353135

Date Published: 2022-02-01

QID 353135: Amazon Linux Security Advisory for kernel : ALAS2KERNEL-5.4-2022-016

a flaw was found in the linux kernels implementation of btrfs free space management, where the kernel does not correctly manage the lifetime of internal data structures used.
An attacker could use this flaw to corrupt memory or escalate privileges. (
( CVE-2019-19448) a use-after-free flaw was found in the debugfs_remove function in the linux kernel.
The flaw could allow a local attacker with special user (or root) privilege to crash the system at the time of file or directory removal.
This vulnerability can lead to a kernel information leak.
The highest threat from this vulnerability is to system availability. (
( CVE-2019-19770) a flaw was found in the linux kernel, where it allows userspace processes, for example, a guest vm, to directly access h/w devices via its vfio driver modules.
The vfio modules allow users to enable or disable access to the devices mmio memory address spaces.
If a user attempts to access the read/write devices mmio address space when it is disabled, some h/w devices issue an interrupt to the cpu to indicate a fatal error condition, crashing the system.
This flaw allows a guest user or process to crash the host system resulting in a denial of service. (
( CVE-2020-12888) a memory out-of-bounds read flaw was found in the linux kernels ext3/ext4 file system, in the way it accesses a directory with broken indexing.
This flaw allows a local user to crash the system if the directory exists.
( CVE-2020-14314) a flaw was found in the linux kernel.
A failure of the file system metadata validator in xfs can cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt.
( CVE-2020-14385) a flaw was found in the linux kernel.

Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.

  • CVSS V3 rated as Critical - 8.2 severity.
  • CVSS V2 rated as High - 6.8 severity.
    • Solution
    Please refer to Amazon advisory: ALAS2KERNEL-5.4-2022-016 for affected packages and patching details, or update with your package manager.
    Vendor References

    CVEs related to QID 353135

    CVE-2020-25212 | CVE-2020-14390 | CVE-2019-19770 | CVE-2020-25284 | CVE-2019-19448 | CVE-2020-14314 | CVE-2020-14385 | CVE-2020-25641 | CVE-2020-12888 | CVE-2020-25285 |
    Software Advisories
    Advisory ID Software Component Link
    ALAS2KERNEL-5.4-2022-016 Amazon Linux 2 URL Logo alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2022-016.html
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].