Amazon Linux AMI : bash (ALAS-2017-878)
High Nessus Plugin ID 102866
SynopsisThe remote Amazon Linux AMI host is missing a security update.
Descriptionpopd controlled free :
A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session.(CVE-2016-9401)
Arbitrary code execution via malicious hostname :
An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines running bash under specific circumstances.(CVE-2016-0634)
Specially crafted SHELLOPTS+PS4 variables allows command substitution :
An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances. (CVE-2016-7543)
SolutionRun 'yum update bash' to update your system.