Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
Amazon Linux Local Check: ALAS-2014-380
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
Amazon Linux Local Security Checks
Insight
Insight
It was reported that Python built-in _json module have a flaw (insufficient bounds checking), which allows a local user to read current process's arbitrary memory.Quoting the upstream bug report:The sole prerequisites of this attack are that the attacker is able to control or influence the two parameters of the default scanstring function: the string to be decoded and the index.The bug is caused by allowing the user to supply a negative index value. The index value is then used directly as an index to an array in the C code. Internally the address of the array and its index are added to each other in order to yield the address of the value that is desired. However, by supplying a negative index value and adding this to the address of the array, the processor's register value wraps around and the calculated value will point to a position in memory which isn't within the bounds of the supplied string, causing the function to access other parts of the process memory.
Solution
Solution
Run yum update python27 to update your system.