Resource Exhaustion Affecting kernel package, versions <0:4.14.262-200.489.amzn2
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-AMZN2-KERNEL-2395636
- published 8 Feb 2022
- disclosed 5 Jan 2022
Introduced: 5 Jan 2022
CVE-2021-28712 Open this link in a new tabHow to fix?
Upgrade Amazon-Linux:2
kernel
to version 0:4.14.262-200.489.amzn2 or higher.
This issue was patched in ALAS2-2022-1749
.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel
package and not the kernel
package as distributed by Amazon-Linux
.
See How to fix?
for Amazon-Linux:2
relevant fixed versions and status.
Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713
References
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28712
- https://lists.debian.org/debian-lts-announce/2022/03/msg00011.html
- https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html
- https://www.debian.org/security/2022/dsa-5050
- https://www.debian.org/security/2022/dsa-5096
- https://xenbits.xenproject.org/xsa/advisory-391.txt