CVE-2023-5717

Public on 2023-10-25
Modified on 2024-04-26
Description
A heap out-of-bounds write vulnerability in the Linux kernel's Linux Kernel Performance Events (perf) component can be exploited to achieve local privilege escalation.

If perf_read_group() is called while an event's sibling_list is smaller than its child's sibling_list, it can increment or write to memory locations outside of the allocated buffer.

We recommend upgrading past commit 32671e3799ca2e4590773fd0e63aaa4229e50c06.
Severity
Important severity
Important
CVSS v3 Base Score
7.8
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 1 kernel 2023-11-10 ALAS-2023-1883 Fixed
Amazon Linux 2 - Core kernel 2023-11-09 ALAS2-2023-2340 Fixed
Amazon Linux 2 - Kernel-5.10 Extra kernel 2023-11-09 ALAS2KERNEL-5.10-2023-043 Fixed
Amazon Linux 2 - Kernel-5.15 Extra kernel 2023-11-09 ALAS2KERNEL-5.15-2023-030 Fixed
Amazon Linux 2 - Kernel-5.4 Extra kernel 2023-11-09 ALAS2KERNEL-5.4-2023-056 Fixed
Amazon Linux 2023 kernel 2023-11-09 ALAS2023-2023-430 Fixed
Amazon Linux 2023 kernel-livepatch-6.1.49-69.116 2023-12-06 ALAS2023LIVEPATCH-2023-025 Fixed
Amazon Linux 2023 kernel-livepatch-6.1.49-70.116 2023-12-06 ALAS2023LIVEPATCH-2023-026 Fixed
Amazon Linux 2023 kernel-livepatch-6.1.52-71.125 2023-12-06 ALAS2023LIVEPATCH-2023-024 Fixed
Amazon Linux 2023 kernel-livepatch-6.1.55-75.123 2023-12-06 ALAS2023LIVEPATCH-2023-023 Fixed
Amazon Linux 2023 kernel-livepatch-6.1.56-82.125 2023-12-06 ALAS2023LIVEPATCH-2023-021 Fixed
Amazon Linux 2023 kernel-livepatch-6.1.59-84.139 2023-12-06 ALAS2023LIVEPATCH-2023-022 Fixed

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
NVD CVSSv3 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Red Hat: CVE-2023-5717 Mitre: CVE-2023-5717