- Newest
- Most votes
- Most comments
Thank you for the reply. But I’m not understanding. The page says that Amazon Linux is not affected. How can that be? Does Amazon somehow protect against the vulnerability besides simply updating OpenSSL to the latest version?
You can check Amazon Linux Security Center for CVEs that may affect Amazon Linux.
For CVE-2023-4807, the corresponding page is at https://explore.alas.aws.amazon.com/CVE-2023-4807.html As per that page
Issue summary: The POLY1305 MAC (message authentication code) implementation
contains a bug that might corrupt the internal state of applications on the
Windows 64 platform when running on newer X86_64 processors supporting the
AVX512-IFMA instructions
This affects Windows 64. Linux is not mentioned.
If you would like to report a vulnerability or have a security concern regarding AWS cloud services or open source projects, you can report it as per Vulnerability Reporting site.
I have the same question for CVE-2023-0464,CVE-2023-0465, CVE-2023-0466. This does impact Amazon Linux 2023 and when I run the command "dnf update openssl --releasever 2023.0.20230517" it says tha there is nothing to do. I would expect this becasue the server is patched to the latest version. I have applied all patches to the server and every update says that there is nothing to do. This is still failing the securty scan from a third party vendor
$ sudo dnf update openssl --releasever 2023.0.20230517 Last metadata expiration check: 0:18:21 ago on Thu Feb 29 11:45:36 2024. Dependencies resolved. Nothing to do. Complete!
$ openssl version OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
The Amazon Linux Security Center at https://alas.aws.amazon.com/ shows the CVEs and when they were addressed.
And this link: https://aws.amazon.com/amazon-linux-2/faqs/#Amazon_Linux_Security explains the Linux backporting and security policy, and includes this line: "Security scanners that rely on versioning from a project’s authors sometimes won’t pick up that a given CVE fix has been applied in an older version"
Though to me the function of version numbers is defeated if changes from later versions are added to an old version, without changing the version number. It takes extra steps to determine what is fixed and what isn't.
I believe AWS has backported the fix to openssl 3.0.8, therefore the specified update does include the fix even though the openssl version remains 3.0.8.
Relevant content
- asked 9 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a year ago
I have updated my post. CVE seems to affect Windows only.