漏洞类别:Amazon Linux
漏洞等级: 
漏洞信息
Package updates are available for Amazon Linux that fix the following vulnerabilities: CVE-2016-4956: ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-1548. 1340860: CVE-2016-4956 ntp: broadcast interleave (incomplete fix for CVE-2016-1548) CVE-2016-4955: ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time. 1340858: CVE-2016-4955 ntp: autokey association reset CVE-2016-4954: The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication. 1302225: CVE-2016-4954 ntp: partial processing of spoofed packets CVE-2016-1548: It was found that an ntpd client could be forced to change from basic client/server mode to the interleaved symmetric mode. A remote attacker could use a spoofed packet that, when processed by an ntpd client, would cause that client to reject all future legitimate server responses, effectively disabling time synchronization on that client. 1331462: CVE-2016-1548 ntp: ntpd switching to interleaved mode with spoofed packets CVE-2015-8139: 1300654: CVE-2015-8139 ntp: ntpq and ntpdc disclose origin timestamp to unauthenticated clients
漏洞危害
Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
解决方案
Administrators are advised to apply the appropriate software updates.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0day
文章评论