QID 357333

Date Published: 2024-03-19

QID 357333: Amazon Linux Security Advisory for edk2 : ALAS2-2024-2502

a null pointer dereference flaw was found in openssl.
A remote attacker, able to control the arguments of the general_name_cmp function, could cause the application, compiled with openssl to crash resulting in a denial of service.
The highest threat from this vulnerability is to system availability. (
( CVE-2020-1971) calls to evp_cipherupdate, evp_encryptupdate and evp_decryptupdate may overflow the output length argument in some cases where the input length is close to the maximum permissible length for an integer on the platform.
In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative.
This could cause applications to behave incorrectly or crash. (
( CVE-2021-23840) the openssl public api function x509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an x509 certificate.
However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed).
This may subsequently result in a null pointer deref and a crash leading to a potential denial of service attack. (
( CVE-2021-23841) a flaw was found in openssl.
A server crash and denial of service attack could occur if a client sends a tlsv1.2 renegotiation clienthello and omits the signature_algorithms extension but includes a signature_algorithms_cert extension.
( CVE-2021-3449) a flaw was found in openssl.
The highest threat from this vulnerability is to data confidentiality and integrity.

Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.

CVSS V3 rated as Critical - 9.8 severity.

CVSS V2 rated as Critical - 10 severity.

Solution

Please refer to Amazon advisory: ALAS2-2024-2502 for affected packages and patching details, or update with your package manager.

Vendor References

ALAS2-2024-2502 - alas.aws.amazon.com/AL2/ALAS-2024-2502.html

CVEs related to QID 357333

CVE-2023-3446 | CVE-2022-1292 | CVE-2022-4304 | CVE-2023-5678 | CVE-2021-23840 | CVE-2023-0215 | CVE-2022-2068 | CVE-2021-3449 | CVE-2023-3817 | CVE-2023-0286 | CVE-2022-0778 | CVE-2023-0466 | CVE-2024-0727 | CVE-2021-3450 | CVE-2023-2650 | CVE-2023-0464 | CVE-2022-2097 | CVE-2023-0465 | CVE-2022-4450 | CVE-2021-3712 | CVE-2020-1971 | CVE-2021-23841 |

Software Advisories

Advisory ID	Software	Component	Link
ALAS2-2024-2502	amazon linux 2		alas.aws.amazon.com/AL2/ALAS-2024-2502.html

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].