Strix
26.1K

CVE-2022-46174

MEDIUMCVSS 4.2/10EPSS 0.59%

Last modified

CVE-2022-46174 is a medium-severity vulnerability rated 4.2/10 on the CVSS scale. efs-utils is a set of Utilities for Amazon Elastic File System (EFS). A potential race condition issue exists within the Amazon EFS mount helper in efs-utils versions v1.34.3 and below. EPSS estimates a 0.59% chance of exploitation in the next 30 days.

Description

efs-utils is a set of Utilities for Amazon Elastic File System (EFS). A potential race condition issue exists within the Amazon EFS mount helper in efs-utils versions v1.34.3 and below. When using TLS to mount file systems, the mount helper allocates a local port for stunnel to receive NFS connections prior to applying the TLS tunnel. In affected versions, concurrent mount operations can allocate the same local port, leading to either failed mount operations or an inappropriate mapping from an EFS customer’s local mount points to that customer’s EFS file systems. This issue is patched in version v1.34.4. There is no recommended work around. We recommend affected users update the installed version of efs-utils to v1.34.4 or later.

Metrics

CVSS 3.1
4.2/10

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L

EPSS Probability
0.59%

43.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
AmazonEfs-Utils< 1.34.4
AmazonElastic File System Container Storage Interface Driver< 1.4.8

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2022-46174?
efs-utils is a set of Utilities for Amazon Elastic File System (EFS). A potential race condition issue exists within the Amazon EFS mount helper in efs-utils versions v1.34.3 and below. When using TLS to mount file systems, the mount helper allocates a local port for stunnel to receive NFS connections prior to applying the TLS tunnel. In affected versions, concurrent mount operations can allocate the same local port, leading to either failed mount operations or an inappropriate mapping from an EFS customer’s local mount points to that customer’s EFS file systems. This issue is patched in version v1.34.4. There is no recommended work around. We recommend affected users update the installed version of efs-utils to v1.34.4 or later.
How severe is CVE-2022-46174?
CVE-2022-46174 has a CVSS score of 4.2/10 (MEDIUM severity). The EPSS model estimates a 0.59% probability of exploitation in the next 30 days.
How do I fix CVE-2022-46174?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-46174?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST