The version of kernel installed on the remote host is prior to 5.10.155-138.670. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.10-2022-023 advisory.

    2024-05-23: CVE-2021-47103 was added to this advisory.

    A memory overflow vulnerability was found in the Linux kernel's ipc functionality of the memcg subsystem,     in the way a user calls the semget function multiple times, creating semaphores. This flaw allows a local     user to starve the resources, causing a denial of service. The highest threat from this vulnerability is     to system availability. (CVE-2021-3759)

    In the Linux kernel, the following vulnerability has been resolved:

    inet: fully convert sk->sk_rx_dst to RCU rules (CVE-2021-47103)

    A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this     vulnerability is the function ipv6_renew_options of the component IPv6 Handler. The manipulation leads to     memory leak. The attack can be launched remotely. It is recommended to apply a patch to fix this issue.
    The identifier VDB-211021 was assigned to this vulnerability. (CVE-2022-3524)

    A vulnerability classified as problematic was found in Linux Kernel. This vulnerability affects the     function bnx2x_tpa_stop of the file drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c of the component BPF.
    The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. VDB-211042 is     the identifier assigned to this vulnerability. (CVE-2022-3542)

    A vulnerability classified as critical was found in Linux Kernel. Affected by this vulnerability is the     function l2cap_reassemble_sdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The     manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated     identifier of this vulnerability is VDB-211087. (CVE-2022-3564)

    A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this     vulnerability is the function intr_callback of the file drivers/net/usb/r8152.c of the component BPF. The     manipulation leads to logging of excessive data. The attack can be launched remotely. It is recommended to     apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211363.
    (CVE-2022-3594)

    A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race     problem. This flaw leads to a denial of service issue. (CVE-2023-0590)

    An out-of-bounds memory access flaw was found in the Linux kernel's TUN/TAP device driver functionality in     how a user generates a malicious (too big) networking packet when napi frags is enabled. This flaw allows     a local user to crash or potentially escalate their privileges on the system. (CVE-2023-3812)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Amazon Linux 2 : kernel (ALASKERNEL-5.10-2022-023)

high Nessus Plugin ID 168520

Version 1.5