QID 357349

Date Published: 2024-03-26

QID 357349: Amazon Linux Security Advisory for rpm : ALAS2023-2024-573

A race condition vulnerability was found in rpm.
A local unprivileged user could use this flaw to bypass the checks that were introduced in response to( CVE-2017-7500 and( CVE-2017-7501, potentially gaining root privileges.
The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (
( CVE-2021-35937) a symbolic link issue was found in rpm.
It occurs when rpm sets the desired permissions and credentials after installing a file.
A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privileges on the system.
( CVE-2021-35938) it was found that the fix for( CVE-2017-7500 and( CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to be created.
A local unprivileged user who owns another ancestor directory could potentially use this flaw to gain root privileges.
The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. this issue requires that the attacker have admin privileges on the target system, and be able to own and modify system files.
Considering the tradeoff between the stability of amazon linux and the impact of( CVE-2021-35939 a fix will not be provided for amazon linux 1, amazon linux 2 and amazon linux 2023 at this time. (
( CVE-2021-35939)

Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.

CVSS V3 rated as High - 6.7 severity.

CVSS V2 rated as Medium - 5.4 severity.

Solution

Please refer to Amazon advisory: ALAS2023-2024-573 for affected packages and patching details, or update with your package manager.

Vendor References

ALAS2023-2024-573 - alas.aws.amazon.com/AL2023/ALAS-2024-573.html

CVEs related to QID 357349

CVE-2021-35938 | CVE-2021-35939 | CVE-2021-35937 |

Software Advisories

Advisory ID	Software	Component	Link
ALAS2023-2024-573	amazon linux 2023		alas.aws.amazon.com/AL2023/ALAS-2024-573.html

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].