Amazon Linux 2 Security Advisory: ALAS2-2023-2238
Advisory Released Date: 2023-09-05
Advisory Updated Date: 2025-09-23
A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. This issue causes a client to fail authentification with RSA keys to servers that reject signature algorithms based on SHA-2, enabling an attacker to crash the server, resulting in a loss of availability. (CVE-2022-27191)
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)
Affected Packages:
amazon-ssm-agent
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update amazon-ssm-agent or yum update --advisory ALAS2-2023-2238 to update your system.
aarch64:
amazon-ssm-agent-3.2.1377.0-1.amzn2.aarch64
amazon-ssm-agent-debuginfo-3.2.1377.0-1.amzn2.aarch64
src:
amazon-ssm-agent-3.2.1377.0-1.amzn2.src
x86_64:
amazon-ssm-agent-3.2.1377.0-1.amzn2.x86_64
amazon-ssm-agent-debuginfo-3.2.1377.0-1.amzn2.x86_64
2025-09-23: CVE-2021-43565 was removed from this advisory.
2025-09-23: CVE-2022-41723 was removed from this advisory.
2025-09-23: The severity of this advisory has been changed from important to medium.