Amazon Linux 2 : gcc (ALAS-2023-2245)

medium Nessus Plugin ID 181359


The remote Amazon Linux 2 host is missing a security update.


The version of gcc installed on the remote host is prior to 7.3.1-17. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2023-2245 advisory.

- A failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.


Run 'yum update gcc' to update your system.

See Also

Plugin Details

Severity: Medium

ID: 181359

File Name: al2_ALAS-2023-2245.nasl

Version: 1.2

Type: local

Agent: unix

Published: 9/13/2023

Updated: 9/21/2023

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Nessus Agent

Risk Information


Risk Factor: Low

Score: 3.3


Risk Factor: Medium

Base Score: 4

Temporal Score: 3.1

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2023-4039


Risk Factor: Medium

Base Score: 4.8

Temporal Score: 4.3

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:cpp, p-cpe:/a:amazon:linux:gcc, p-cpe:/a:amazon:linux:gcc-base-debuginfo, p-cpe:/a:amazon:linux:gcc-c%2b%2b, p-cpe:/a:amazon:linux:gcc-debuginfo, p-cpe:/a:amazon:linux:gcc-gdb-plugin, p-cpe:/a:amazon:linux:gcc-gfortran, p-cpe:/a:amazon:linux:gcc-gnat, p-cpe:/a:amazon:linux:gcc-go, p-cpe:/a:amazon:linux:gcc-objc, p-cpe:/a:amazon:linux:gcc-objc%2b%2b, p-cpe:/a:amazon:linux:gcc-plugin-devel, p-cpe:/a:amazon:linux:libatomic, p-cpe:/a:amazon:linux:libcilkrts, p-cpe:/a:amazon:linux:libgcc, p-cpe:/a:amazon:linux:libgccjit, p-cpe:/a:amazon:linux:libgccjit-devel, p-cpe:/a:amazon:linux:libgfortran, p-cpe:/a:amazon:linux:libgnat, p-cpe:/a:amazon:linux:libgo, p-cpe:/a:amazon:linux:libgomp, p-cpe:/a:amazon:linux:libitm, p-cpe:/a:amazon:linux:libmpx, p-cpe:/a:amazon:linux:libobjc, p-cpe:/a:amazon:linux:libquadmath, p-cpe:/a:amazon:linux:libsanitizer, p-cpe:/a:amazon:linux:libstdc%2b%2b, p-cpe:/a:amazon:linux:libstdc%2b%2b-docs, cpe:/o:amazon:linux:2

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/8/2023

Vulnerability Publication Date: 9/8/2023

Reference Information

CVE: CVE-2023-4039