ALAS2023-2025-1015

Amazon Linux 2023 Security Advisory: ALAS2023-2025-1015
Advisory Released Date: 2025-06-10
Advisory Updated Date: 2025-06-10

Severity: Medium

References: CVE-2024-40635
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images. (CVE-2024-40635)

Affected Packages:

ecs-init

Issue Correction:
Run dnf update ecs-init --releasever 2023.7.20250609 to update your system.

New Packages:

aarch64:
    ecs-init-1.93.1-1.amzn2023.aarch64

src:
    ecs-init-1.93.1-1.amzn2023.src

x86_64:
    ecs-init-1.93.1-1.amzn2023.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2024-40635

Mitre: CVE-2024-40635