AWS Inspector told me my instance had an issue "CVE-2023-46813 - kernel-headers, kernel-devel and 1 more". Looking at the affected packages:
Name
kernel-headers
Installed version / Fixed version
0:5.10.198-187.748.amzn2.X86_64 / 0:5.15.137-91.144.amzn2
Name
kernel-devel
Installed version / Fixed version
0:5.10.198-187.748.amzn2.X86_64 / 0:5.15.137-91.144.amzn2
Name
kernel
Installed version / Fixed version
0:5.10.198-187.748.amzn2.X86_64 / 0:5.15.137-91.144.amzn2
^- I found that my instance was running kernel 5.10 and needs to be upgraded to 5.15. I've tried many ways, but its still failing.
The recommended:
yum update kernel-headers
yum update kernel-devel
yum update kernel
^- did not update my kernel
Following the post (https://repost.aws/knowledge-center/amazon-linux-2-kernel-upgrade) to use amazon-linux-extras:
$ uname -r
5.10.198-187.748.amzn2.x86_64
$ sudo amazon-linux-extras |grep kernel
_ kernel-5.4 available [ =stable ]
55 kernel-5.10=latest enabled [ =stable ]
62 kernel-5.15 available [ =stable ]
$ sudo amazon-linux-extras disable kernel-5.10
$ sudo amazon-linux-extras install kernel-5.15 -y
$ sudo amazon-linux-extras install kernel-5.15 -y
Installing kernel
Loaded plugins: priorities, update-motd, versionlock
Cleaning repos: amzn2-core amzn2extra-docker amzn2extra-kernel-5.15
15 metadata files removed
6 sqlite files removed
0 metadata files removed
Loaded plugins: priorities, update-motd, versionlock
amzn2-core | 3.6 kB 00:00:00
amzn2extra-docker | 2.9 kB 00:00:00
amzn2extra-kernel-5.15 | 3.0 kB 00:00:00
(1/7): amzn2-core/2/x86_64/group_gz | 2.7 kB 00:00:00
(2/7): amzn2-core/2/x86_64/updateinfo | 760 kB 00:00:00
(3/7): amzn2extra-docker/2/x86_64/primary_db | 105 kB 00:00:00
(4/7): amzn2extra-kernel-5.15/2/x86_64/updateinfo | 30 kB 00:00:00
(5/7): amzn2extra-kernel-5.15/2/x86_64/primary_db | 13 MB 00:00:00
(6/7): amzn2extra-docker/2/x86_64/updateinfo | 13 kB 00:00:00
(7/7): amzn2-core/2/x86_64/primary_db | 69 MB 00:00:00
Nothing to do
2 httpd_modules available [ =1.0 =stable ]
3 memcached1.5 available \
[ =1.5.1 =1.5.16 =1.5.17 ]
9 R3.4 available [ =3.4.3 =stable ]
10 rust1 available \
[ =1.22.1 =1.26.0 =1.26.1 =1.27.2 =1.31.0 =1.38.0
=stable ]
18 libreoffice available \
[ =5.0.6.2_15 =5.3.6.1 =stable ]
19 gimp available [ =2.8.22 ]
20 †docker=latest enabled \
[ =17.12.1 =18.03.1 =18.06.1 =18.09.9 =stable ]
21 mate-desktop1.x available \
[ =1.19.0 =1.20.0 =stable ]
22 GraphicsMagick1.3 available \
[ =1.3.29 =1.3.32 =1.3.34 =stable ]
23 †tomcat8.5 available \
[ =8.5.31 =8.5.32 =8.5.38 =8.5.40 =8.5.42 =8.5.50
=stable ]
24 epel available [ =7.11 =stable ]
25 testing available [ =1.0 =stable ]
26 ecs available [ =stable ]
27 †corretto8 available \
[ =1.8.0_192 =1.8.0_202 =1.8.0_212 =1.8.0_222 =1.8.0_232
=1.8.0_242 =stable ]
32 lustre2.10 available \
[ =2.10.5 =2.10.8 =stable ]
33 †java-openjdk11 available [ =11 =stable ]
34 lynis available [ =stable ]
36 BCC available [ =0.x =stable ]
37 mono available [ =5.x =stable ]
38 nginx1 available [ =stable ]
40 mock available [ =stable ]
43 livepatch available [ =stable ]
44 †python3.8 available [ =stable ]
45 haproxy2 available [ =stable ]
46 collectd available [ =stable ]
47 aws-nitro-enclaves-cli available [ =stable ]
48 R4 available [ =stable ]
_ kernel-5.4 available [ =stable ]
50 selinux-ng available [ =stable ]
52 tomcat9 available [ =stable ]
53 unbound1.13 available [ =stable ]
54 †mariadb10.5 available [ =stable ]
55 kernel-5.10 available [ =stable ]
56 redis6 available [ =stable ]
57 †ruby3.0 available [ =stable ]
58 †postgresql12 available [ =stable ]
59 †postgresql13 available [ =stable ]
60 mock2 available [ =stable ]
61 dnsmasq2.85 available [ =stable ]
62 kernel-5.15=latest enabled [ =stable ]
63 †postgresql14 available [ =stable ]
64 firefox available [ =stable ]
65 lustre available [ =stable ]
66 †php8.1 available [ =stable ]
67 awscli1 available [ =stable ]
68 †php8.2 available [ =stable ]
69 dnsmasq available [ =stable ]
70 unbound1.17 available [ =stable ]
72 collectd-python3 available [ =stable ]
† Note on end-of-support. Use 'info' subcommand.
$ sudo amazon-linux-extras |grep kernel
_ kernel-5.4 available [ =stable ]
55 kernel-5.10 available [ =stable ]
62 kernel-5.15=latest enabled [ =stable ]
$ rpm -qa |grep kernel
kernel-devel-5.10.198-187.748.amzn2.x86_64
kernel-5.10.198-187.748.amzn2.x86_64
kernel-headers-5.10.198-187.748.amzn2.x86_64
^- Even after I ran sudo amazon-linux-extras install kernel-5.15 -y
, I'm still not seeing 5.15 inside my rpm after I reboot, its still 5.10.
My instance information:
$ cat /etc/os-release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
SUPPORT_END="2025-06-30"
Am I doing something wrong, or why is 5.15 failing to install? Not sure if relevant, but I believe this instance was created via EKS.
Thank you for trying this out and showing that it is supposed to work - I did end up finding my issue which was that I needed to remove my versionlock.