ALAS2ECS-2026-113

Amazon Linux 2 Security Advisory: ALAS2ECS-2026-113
Advisory Released Date: 2026-05-05
Advisory Updated Date: 2026-05-11

Severity: Important

References: CVE-2024-45807
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy's 1.31 is using `oghttp` as the default HTTP/2 codec, and there are potential bugs around stream management in the codec. To resolve this Envoy will switch off the `oghttp2` by default. The impact of this issue is that envoy will crash. This issue has been addressed in release version 1.31.2. All users are advised to upgrade. There are no known workarounds for this issue. (CVE-2024-45807)

Affected Packages:

ecs-service-connect-agent

Note:

This advisory is applicable to Amazon Linux 2 - Ecs Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update ecs-service-connect-agent or yum update --advisory ALAS2ECS-2026-113 to update your system.

New Packages:

aarch64:
    ecs-service-connect-agent-v1.29.9.0-1.amzn2.aarch64

src:
    ecs-service-connect-agent-v1.29.9.0-1.amzn2.src

x86_64:
    ecs-service-connect-agent-v1.29.9.0-1.amzn2.x86_64

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2024-45807

Mitre: CVE-2024-45807