ALAS2023-2023-126

Amazon Linux 2023 Security Advisory: ALAS2023-2023-126
Advisory Released Date: 2023-03-22
Advisory Updated Date: 2023-03-22

Severity: Important

References: CVE-2022-3787 CVE-2022-41973
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A vulnerability was found in the device-mapper-multipath. The device-mapper-multipath allows local users to obtain root access, exploited alone or in conjunction with CVE-2022-41973. Local users that are able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This issue occurs because an attacker can repeat a keyword, which is mishandled when arithmetic ADD is used instead of bitwise OR. This could lead to local privilege escalation to root. (CVE-2022-3787)

A vulnerability was found in the device-mapper-multipath. The device-mapper-multipath allows local users to obtain root access, in conjunction with CVE-2022-41974. Local users that are able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which may lead to controlled file writes outside of the /dev/shm directory. This could be used indirectly for local privilege escalation to root. (CVE-2022-41973)

Affected Packages:

device-mapper-multipath

Issue Correction:
Run dnf update device-mapper-multipath --releasever 2023.0.20230322 or dnf update --advisory ALAS2023-2023-126 --releasever 2023.0.20230322 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    device-mapper-multipath-debuginfo-0.8.7-16.amzn2023.0.1.aarch64
    kpartx-debuginfo-0.8.7-16.amzn2023.0.1.aarch64
    device-mapper-multipath-debugsource-0.8.7-16.amzn2023.0.1.aarch64
    libdmmp-0.8.7-16.amzn2023.0.1.aarch64
    libdmmp-devel-0.8.7-16.amzn2023.0.1.aarch64
    libdmmp-debuginfo-0.8.7-16.amzn2023.0.1.aarch64
    device-mapper-multipath-devel-0.8.7-16.amzn2023.0.1.aarch64
    kpartx-0.8.7-16.amzn2023.0.1.aarch64
    device-mapper-multipath-0.8.7-16.amzn2023.0.1.aarch64
    device-mapper-multipath-libs-debuginfo-0.8.7-16.amzn2023.0.1.aarch64
    device-mapper-multipath-libs-0.8.7-16.amzn2023.0.1.aarch64

src:
    device-mapper-multipath-0.8.7-16.amzn2023.0.1.src

x86_64:
    device-mapper-multipath-libs-debuginfo-0.8.7-16.amzn2023.0.1.x86_64
    kpartx-0.8.7-16.amzn2023.0.1.x86_64
    device-mapper-multipath-debugsource-0.8.7-16.amzn2023.0.1.x86_64
    libdmmp-debuginfo-0.8.7-16.amzn2023.0.1.x86_64
    libdmmp-0.8.7-16.amzn2023.0.1.x86_64
    kpartx-debuginfo-0.8.7-16.amzn2023.0.1.x86_64
    device-mapper-multipath-devel-0.8.7-16.amzn2023.0.1.x86_64
    device-mapper-multipath-0.8.7-16.amzn2023.0.1.x86_64
    libdmmp-devel-0.8.7-16.amzn2023.0.1.x86_64
    device-mapper-multipath-debuginfo-0.8.7-16.amzn2023.0.1.x86_64
    device-mapper-multipath-libs-0.8.7-16.amzn2023.0.1.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2022-3787, CVE-2022-41973

Mitre: CVE-2022-3787, CVE-2022-41973