Amazon Linux AMI 2: CVE-2023-35812: Security patch for openssh (ALAS-2023-2202)
Description
An issue was discovered in the Amazon Linux packages of OpenSSH 7.4 for Amazon Linux 1 and 2, because of an incomplete fix for CVE-2019-6111 within these specific packages. The fix had only covered cases where an absolute path is passed to scp. When a relative path is used, there is no verification that the name of a file received by the client matches the file requested. Fixed packages are available with numbers 7.4p1-22.78.amzn1 and 7.4p1-22.amzn2.0.2.
Solution(s)
- amazon-linux-ami-2-upgrade-openssh
- amazon-linux-ami-2-upgrade-openssh-askpass
- amazon-linux-ami-2-upgrade-openssh-cavs
- amazon-linux-ami-2-upgrade-openssh-clients
- amazon-linux-ami-2-upgrade-openssh-debuginfo
- amazon-linux-ami-2-upgrade-openssh-keycat
- amazon-linux-ami-2-upgrade-openssh-ldap
- amazon-linux-ami-2-upgrade-openssh-server
- amazon-linux-ami-2-upgrade-openssh-server-sysvinit
- amazon-linux-ami-2-upgrade-pam_ssh_agent_auth
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center