Amazon Linux 2 Security Advisory: ALAS2-2025-2901
Advisory Released Date: 2025-06-24
Advisory Updated Date: 2025-06-24
A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration. (CVE-2025-4404)
Affected Packages:
ipa
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update ipa to update your system.
aarch64:
ipa-server-4.6.8-5.amzn2.17.2.aarch64
ipa-server-trust-ad-4.6.8-5.amzn2.17.2.aarch64
ipa-client-4.6.8-5.amzn2.17.2.aarch64
ipa-debuginfo-4.6.8-5.amzn2.17.2.aarch64
i686:
ipa-server-4.6.8-5.amzn2.17.2.i686
ipa-server-trust-ad-4.6.8-5.amzn2.17.2.i686
ipa-client-4.6.8-5.amzn2.17.2.i686
ipa-debuginfo-4.6.8-5.amzn2.17.2.i686
noarch:
python2-ipaserver-4.6.8-5.amzn2.17.2.noarch
ipa-server-common-4.6.8-5.amzn2.17.2.noarch
ipa-server-dns-4.6.8-5.amzn2.17.2.noarch
python2-ipaclient-4.6.8-5.amzn2.17.2.noarch
ipa-client-common-4.6.8-5.amzn2.17.2.noarch
ipa-python-compat-4.6.8-5.amzn2.17.2.noarch
python2-ipalib-4.6.8-5.amzn2.17.2.noarch
ipa-common-4.6.8-5.amzn2.17.2.noarch
src:
ipa-4.6.8-5.amzn2.17.2.src
x86_64:
ipa-server-4.6.8-5.amzn2.17.2.x86_64
ipa-server-trust-ad-4.6.8-5.amzn2.17.2.x86_64
ipa-client-4.6.8-5.amzn2.17.2.x86_64
ipa-debuginfo-4.6.8-5.amzn2.17.2.x86_64