SFTP Gateway Support

3.0

AWS Inspector Kernel CVE Findings

AWS Inspector Kernel CVE Findings - SFTP Gateway

TLDR - Quick Summary

Problem: AWS Inspector reports kernel CVEs on SFTP Gateway (Amazon Linux 2023)

Cause: Kernel patches require Amazon Linux release upgrade, not standard dnf update

Solution: Upgrade release version, reboot, then remove old kernel packages

Key Command: sudo dnf upgrade --releasever=2023.10.20260105 -y && sudo reboot

Post-fix: Remove old kernels with sudo dnf remove -y kernel-<old-version> to satisfy all security scanners

Overview

AWS Inspector may report multiple kernel-related CVEs on SFTP Gateway instances running Amazon Linux 2023. These findings are typically related to the kernel and kernel-tools packages and require an Amazon Linux release upgrade to resolve.

Note: AWS Inspector will report a clean scan after upgrading to the latest Amazon Linux 2023 release and rebooting. However, other security scanners may flag old kernel packages that remain installed on the system. To avoid triggering these scanners, you should remove old kernel packages after rebooting into the new kernel.

Problem

AWS Inspector flags kernel vulnerabilities where the installed version does not meet the required patched version:

PackageInstalled VersionRequired Version
kernel6.1.156-177.286.amzn20236.1.159-181.297.amzn2023
kernel-tools1:6.1.156-177.286.amzn20231:6.1.159-181.297.amzn2023

Note: Standard package updates (dnf update or dnf update kernel-tools) will report "Nothing to do" because the fix requires a newer Amazon Linux release version.

Root Cause

The kernel package updates are tied to Amazon Linux release versions. If your system is running an older release (e.g., 2023.9.20251105), the latest kernel patches are not available until you upgrade to a newer release version (e.g., 2023.10.20260105).

Resolution

Step 1: Check Current Release Version

cat /etc/os-release | grep VERSION_ID
# or
cat /etc/system-release

Step 2: Check Available Updates

dnf check-update

If this shows no kernel-tools updates available, you need to upgrade the release version.

Step 3: Upgrade Amazon Linux Release

sudo dnf upgrade --releasever=2023.10.20260105 -y

Important: Replace 2023.10.20260105 with the latest available release version if a newer one exists.

Step 4: Reboot the Instance

sudo reboot

Step 5: Remove Old Kernel Packages (Recommended)

After rebooting, remove old kernel packages. While AWS Inspector will show a clean scan after the upgrade, other security scanners may flag old kernel packages that remain installed on the system.

List installed kernel packages:

rpm -q kernel kernel-tools

Example output showing old and new versions:

kernel-6.1.156-177.286.amzn2023.x86_64
kernel-6.1.159-181.297.amzn2023.x86_64
kernel-tools-6.1.159-181.297.amzn2023.x86_64

Confirm which kernel is currently running:

uname -r

Example output:

6.1.159-181.297.amzn2023.x86_64

Remove the old kernel package:

Remove any kernel package that does not match the running kernel version. In this example, we remove the old 6.1.156 kernel:

sudo dnf remove -y kernel-6.1.156-177.286.amzn2023.x86_64

Repeat for any other old kernel-related packages (kernel-devel, kernel-headers) if present.

Step 6: Verify Old Packages Are Removed

Confirm only the current kernel version remains installed:

rpm -q kernel kernel-tools

Expected output (single version only):

kernel-6.1.159-181.297.amzn2023.x86_64
kernel-tools-6.1.159-181.297.amzn2023.x86_64

Verify you are running the new kernel:

uname -r

Expected output:

6.1.159-181.297.amzn2023.x86_64

Finding the Latest Release Version

To find available Amazon Linux 2023 release versions:

dnf --releasever=latest check-update

Or check the Amazon Linux 2023 Release Notes.

CVEs Addressed

This update addresses multiple kernel CVEs including but not limited to:

HIGH Severity:

  • CVE-2023-53292
  • CVE-2025-38073
  • CVE-2025-38556
  • CVE-2025-40040
  • CVE-2025-40104
  • CVE-2025-40167
  • CVE-2025-40173
  • CVE-2025-40176
  • CVE-2025-40179
  • CVE-2025-40187
  • CVE-2025-40190
  • CVE-2025-40194
  • CVE-2025-40201
  • CVE-2025-40204
  • CVE-2025-40211
  • CVE-2025-40220
  • CVE-2025-40240
  • CVE-2025-40248
  • CVE-2025-40264
  • CVE-2025-40271
  • CVE-2025-40273
  • CVE-2025-40277
  • CVE-2025-40279
  • CVE-2025-40281
  • CVE-2025-40292
  • CVE-2025-40297
  • CVE-2025-40304
  • CVE-2025-40324
  • CVE-2025-40331
  • CVE-2025-40363
  • CVE-2025-68185
  • CVE-2025-68191
  • CVE-2025-68229
  • CVE-2025-68231
  • CVE-2025-68241
  • CVE-2025-68244
  • CVE-2025-68283
  • CVE-2025-68285
  • CVE-2025-68287

MEDIUM Severity:

  • CVE-2025-40042
  • CVE-2025-40083
  • CVE-2025-40099
  • CVE-2025-40100
  • CVE-2025-40103
  • CVE-2025-40105
  • CVE-2025-40111
  • CVE-2025-40178
  • CVE-2025-40183
  • CVE-2025-40198
  • CVE-2025-40200
  • CVE-2025-40207
  • CVE-2025-40219
  • CVE-2025-40231
  • CVE-2025-40313
  • CVE-2025-40319
  • CVE-2025-40341
  • CVE-2025-40360
  • CVE-2025-68173
  • CVE-2025-68227
  • CVE-2025-68321

Post-Remediation

After completing the upgrade and reboot:

  1. Trigger an Inspector rescan by restarting the SSM agent:

    sudo systemctl restart amazon-ssm-agent

  2. Wait for Inspector to rescan (this may take several minutes to hours)

  3. Verify findings are cleared in the AWS Inspector console

If you removed old kernel packages (Step 5), verify only the current version remains:

rpm -q kernel kernel-tools kernel-devel kernel-headers 2>/dev/null | sort

Note: Inspector queries the SSM agent to get the list of installed packages. Restarting the SSM agent encourages a fresh inventory report, which can speed up the rescan process.

PreviousNext