Amazon Linux Local Security Checks : Amazon Linux: Security Advisory (ALAS-2014-374)

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 146377 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.120575

Kategorie: Amazon Linux Local Security Checks

Titel: Amazon Linux: Security Advisory (ALAS-2014-374)

Zusammenfassung: The remote host is missing an update for the 'python-simplejson' package(s) announced via the ALAS-2014-374 advisory.

Beschreibung: Summary:
The remote host is missing an update for the 'python-simplejson' package(s) announced via the ALAS-2014-374 advisory.

Vulnerability Insight:
It was reported that Python built-in _json module have a flaw (insufficient bounds checking), which allows a local user to read current process' arbitrary memory.

Quoting the upstream bug report:

The sole prerequisites of this attack are that the attacker is able to control or influence the two parameters of the default scanstring function: the string to be decoded and the index.

The bug is caused by allowing the user to supply a negative index value. The index value is then used directly as an index to an array in the C code, internally the address of the array and its index are added to each other in order to yield the address of the value that is desired. However, by supplying a negative index value and adding this to the address of the array, the processor's register value wraps around and the calculated value will point to a position in memory which isn't within the bounds of the supplied string, causing the function to access other parts of the process memory.

Affected Software/OS:
'python-simplejson' package(s) on Amazon Linux.

Solution:
Please install the updated package(s).

CVSS Score:
4.3

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:N/A:N

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2014-4616
BugTraq ID: 68119
http://www.securityfocus.com/bid/68119
https://security.gentoo.org/glsa/201503-10
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752395
https://hackerone.com/reports/12297
http://openwall.com/lists/oss-security/2014/06/24/7
RedHat Security Advisories: RHSA-2015:1064
http://rhn.redhat.com/errata/RHSA-2015-1064.html
SuSE Security Announcement: openSUSE-SU-2014:0890 (Google Search)
http://lists.opensuse.org/opensuse-updates/2014-07/msg00015.html

Copyright Copyright (C) 2015 Greenbone AG

Dies ist nur einer von 146377 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.120575
Kategorie:	Amazon Linux Local Security Checks
Titel:	Amazon Linux: Security Advisory (ALAS-2014-374)
Zusammenfassung:	The remote host is missing an update for the 'python-simplejson' package(s) announced via the ALAS-2014-374 advisory.
Beschreibung:	Summary: The remote host is missing an update for the 'python-simplejson' package(s) announced via the ALAS-2014-374 advisory. Vulnerability Insight: It was reported that Python built-in _json module have a flaw (insufficient bounds checking), which allows a local user to read current process' arbitrary memory. Quoting the upstream bug report: The sole prerequisites of this attack are that the attacker is able to control or influence the two parameters of the default scanstring function: the string to be decoded and the index. The bug is caused by allowing the user to supply a negative index value. The index value is then used directly as an index to an array in the C code, internally the address of the array and its index are added to each other in order to yield the address of the value that is desired. However, by supplying a negative index value and adding this to the address of the array, the processor's register value wraps around and the calculated value will point to a position in memory which isn't within the bounds of the supplied string, causing the function to access other parts of the process memory. Affected Software/OS: 'python-simplejson' package(s) on Amazon Linux. Solution: Please install the updated package(s). CVSS Score: 4.3 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2014-4616 BugTraq ID: 68119 http://www.securityfocus.com/bid/68119 https://security.gentoo.org/glsa/201503-10 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752395 https://hackerone.com/reports/12297 http://openwall.com/lists/oss-security/2014/06/24/7 RedHat Security Advisories: RHSA-2015:1064 http://rhn.redhat.com/errata/RHSA-2015-1064.html SuSE Security Announcement: openSUSE-SU-2014:0890 (Google Search) http://lists.opensuse.org/opensuse-updates/2014-07/msg00015.html
Copyright	Copyright (C) 2015 Greenbone AG