Kernel vulnerabilities in v20231230 build AMI

Question

Kernel vulnerabilities in v20231230 build AMI

Closed this issue 9 months ago · 1 comments

We are building the worker node AMI using this repo.
After running the scan we are getting vulnerabilities in kernel version - 5.10.201-191.748.amzn2.x86_64

Vulnerability Description:

The version of kernel installed on the remote host is prior to 5.10.205-195.804. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.10-2024-045 advisory.

  - A race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a use-after-free issue, potentially leading to a denial of service or privilege escalation. (CVE-2023-39198)

  - An issue was discovered in the Linux kernel through 6.5.9. During a race with SQ thread exit, an io_uring/fdinfo.c io_uring_show_fdinfo NULL pointer dereference can occur. (CVE-2023-46862)

So could you please suggest the supported kernel version for EKS v1.26 worker nodes > 5.10.205-195.804

Answer 1 · 2024-01-12T06:22:23.000Z

This is addressed in today’s release. Please open an AWS Support ticket for security issues in the future.