ALAS-2022-1608

Amazon Linux 1 (EOL) Security Advisory: ALAS-2022-1608
Advisory Released Date: 2022-07-07
Advisory Updated Date: 2022-07-07

Severity: Medium

References: CVE-2022-28391
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

An escape sequence injection attack was found in BusyBox on Alpine. For this issue to occur, a remote host's virtual terminal must contain an escape sequence, and the victim must then execute netstat. This flaw allows an attacker can inject arbitrary code, leading to a loss of integrity. (CVE-2022-28391)

Affected Packages:

busybox

Issue Correction:
Run yum update busybox to update your system.

New Packages:

i686:
    busybox-petitboot-1.34.1-1.14.amzn1.i686
    busybox-debuginfo-1.34.1-1.14.amzn1.i686
    busybox-1.34.1-1.14.amzn1.i686

src:
    busybox-1.34.1-1.14.amzn1.src

x86_64:
    busybox-petitboot-1.34.1-1.14.amzn1.x86_64
    busybox-1.34.1-1.14.amzn1.x86_64
    busybox-debuginfo-1.34.1-1.14.amzn1.x86_64

Additional References

Red Hat: CVE-2022-28391

Mitre: CVE-2022-28391