CVE-2022-25165 An TOCTOU race condition was found in Amazon AWS VPN Client 2.0.0.

As an example, the following piece of code causes a SYSTEM log file to be created with the value of /etc/passwd:

This can be used to inject a back door in the server log file.

Thanks to Julien Lavialle of SecuriLab for reporting this issue. The affected versions of Amazon AWS VPN Client are 2.0.0 and earlier. Mitigations The issue can be mitigated by applying a filter on the configuration file validation with the following command: set system variable aws-vpn-client-log-file-location /var/log/awsvpnclient.log

CVE-2018-90009 A buffer overflow issue was found in Amazon AWS SDK for Go 1.4.6. A malicious AWS client application can send an overly large request to an AWS server which will lead to a buffer overflow in the server. This can be used to introduce a remote code execution vulnerability in the server.

Thanks to Dawid Golunski of Tencent for reporting this issue. The affected versions of Amazon AWS SDK for Go are 1.4.6 and earlier. Mitigations This can be mitigated by updating the Amazon AWS SDK for Go to the latest version.

CVE-2018-90010 A denial of service vulnerability was found in Amazon AWS SDK for Go 1.4.6. A malicious AWS client application can send an overly large request to an AWS server which will lead to a

What is the Amazon Web Services (AWS) SDK?

The Amazon Web Services (AWS) SDK for Go is a software development kit, which helps in building applications on the Amazon Web Services platform. The SDK has been developed in an open-source way and is maintained by the community.

What is the Apache Software Foundation (ASF) Software Assurance Program?

The Apache Software Foundation (ASF) Software Assurance Program provides a way for businesses to fund the continued development of open source projects, supporting the communities that make up the software foundation.

The ASF offers two different types of programs: the Apache License, Version 2.0 (ALv2), and the Apache License, Version 3.0 (ALv3). The ALv2 is similar to a donation model where users can choose to support open source software in whatever amount they feel comfortable with. There is no lock-in commitment or term requirements on how long an individual or business can participate. This program is also redistributable at any time with no additional licensing costs or restrictions. The ALv3 requires a one-time non-renewable payment from a company and has exclusive rights over some code names such as "Apache", "Apache HTTP Server", and "Apache Hadoop", among others.

The ASF’s stated goals are:
"to promote participation in and evolution of Open Source software; to establish standards for Open Source software; to provide public recognition for pioneering contributors; to award prizes to individuals who advance Open Source technology; to recognize achievement through awards, scholarships, and other means; and to provide resources for education in computers."

Timeline

Published on: 04/14/2022 16:15:00 UTC
Last modified on: 05/13/2022 12:37:00 UTC

References

• https://rhinosecuritylabs.com/aws/cve-2022-25165-aws-vpn-client/
• https://github.com/RhinoSecurityLabs/CVEs
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25165