Important: kernel

Issue Overview:

2024-06-06: CVE-2023-52477 was added to this advisory.

A race condition between two functions, lmLogClose() and txEnd(), in the Linux kernel’s JFS filesystem can lead to a use-after-free vulnerability and crash. (CVE-2023-3397)

In the Linux kernel, the following vulnerability has been resolved:

usb: hub: Guard against accesses to uninitialized BOS descriptors (CVE-2023-52477)

A heap out-of-bounds write vulnerability in the Linux kernel’s Linux Kernel Performance Events (perf) component can be exploited to achieve local privilege escalation.

If perf_read_group() is called while an event’s sibling_list is smaller than its child’s sibling_list, it can increment or write to memory locations outside of the allocated buffer.

We recommend upgrading past commit 32671e3799ca2e4590773fd0e63aaa4229e50c06. (CVE-2023-5717)

Affected Packages:

kernel

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update kernel to update your system.

New Packages:

aarch64:  
    kernel-4.14.328-248.540.amzn2.aarch64  
    kernel-headers-4.14.328-248.540.amzn2.aarch64  
    kernel-debuginfo-common-aarch64-4.14.328-248.540.amzn2.aarch64  
    perf-4.14.328-248.540.amzn2.aarch64  
    perf-debuginfo-4.14.328-248.540.amzn2.aarch64  
    python-perf-4.14.328-248.540.amzn2.aarch64  
    python-perf-debuginfo-4.14.328-248.540.amzn2.aarch64  
    kernel-tools-4.14.328-248.540.amzn2.aarch64  
    kernel-tools-devel-4.14.328-248.540.amzn2.aarch64  
    kernel-tools-debuginfo-4.14.328-248.540.amzn2.aarch64  
    kernel-devel-4.14.328-248.540.amzn2.aarch64  
    kernel-debuginfo-4.14.328-248.540.amzn2.aarch64  
  
i686:  
    kernel-headers-4.14.328-248.540.amzn2.i686  
  
src:  
    kernel-4.14.328-248.540.amzn2.src  
  
x86_64:  
    kernel-4.14.328-248.540.amzn2.x86_64  
    kernel-headers-4.14.328-248.540.amzn2.x86_64  
    kernel-debuginfo-common-x86_64-4.14.328-248.540.amzn2.x86_64  
    perf-4.14.328-248.540.amzn2.x86_64  
    perf-debuginfo-4.14.328-248.540.amzn2.x86_64  
    python-perf-4.14.328-248.540.amzn2.x86_64  
    python-perf-debuginfo-4.14.328-248.540.amzn2.x86_64  
    kernel-tools-4.14.328-248.540.amzn2.x86_64  
    kernel-tools-devel-4.14.328-248.540.amzn2.x86_64  
    kernel-tools-debuginfo-4.14.328-248.540.amzn2.x86_64  
    kernel-devel-4.14.328-248.540.amzn2.x86_64  
    kernel-debuginfo-4.14.328-248.540.amzn2.x86_64  
    kernel-livepatch-4.14.328-248.540-1.0-0.amzn2.x86_64  

Additional References

Red Hat: CVE-2023-3397, CVE-2023-52477, CVE-2023-5717

Mitre: CVE-2023-3397, CVE-2023-52477, CVE-2023-5717