ALAS-2017-886

Amazon Linux 1 (EOL) Security Advisory: ALAS-2017-886
Advisory Released Date: 2017-08-31
Advisory Updated Date: 2024-02-10

Severity: Important

References: CVE-2017-9450
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

New optional parameter "umask" introduced into cfn-hup.conf file in order to configure the cfn-hup daemon's umask.

The Amazon Web Services (AWS) CloudFormation bootstrap tools package (aka aws-cfn-bootstrap) before 1.4-19.10 allows local users to execute arbitrary code with root privileges by leveraging the ability to create files in an unspecified directory. (CVE-2017-9450)

Affected Packages:

aws-cfn-bootstrap

Issue Correction:
Run yum update aws-cfn-bootstrap to update your system.

New Packages:

noarch:
    aws-cfn-bootstrap-1.4-21.13.amzn1.noarch

src:
    aws-cfn-bootstrap-1.4-21.13.amzn1.src

Additional References

Red Hat: CVE-2017-9450

Mitre: CVE-2017-9450