Read our latest security bulletins here.
  1. Xen Security Advisories (XSA-372, 373, 374, 375, and 377)

    Initial Publication Date: 2021/06/08 3:30 PM PDT

    The Xen Security Team has released Xen Security Advisories 372, 373, 374, 375, and 377 regarding the Xen hypervisor. AWS customers’ data and instances are not affected by this issue, and no customer action is required.

  2. runC Security Issue (CVE-2021-30465)

    [V2] Last Updated: 2021/06/16 1:20 PM PDT

    This is an update for this issue.

    Binaries of AWS IoT Greengrass Core V1 (1.10.4 and 1.11.3) with patched runC are now available for download (https://docs.aws.amazon.com/greengrass/v1/developerguide/what-is-gg.html). An updated Greengrass V2 Lambda Launcher v2.0.6 (https://docs.aws.amazon.com/greengrass/v2/developerguide/lambda-launcher-component.html) is also available in the AWS IoT console. We recommend Greengrass customers upgrade to the latest binaries and Lambda Launcher to incorporate the latest runC patch.

    [V1] Initial Publication Date: 2021/06/08 2:20 PM PDT

    You are viewing a previous version of this security bulletin.

    AWS is aware of the recently disclosed security issue in runC which is a component of many container management systems (CVE-2021-30465). With the exception of the AWS services listed below, no customer action is required to address this issue.

     

    Amazon Elastic Container Service (Amazon ECS)

    Amazon ECS has released updated ECS-optimized Amazon Machine Images (AMIs) with the patched container runtime on May 21, 2021. More information about the ECS-optimized AMI is available athttps://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html.

    To resolve this issue in the meantime, we recommend that ECS customers perform a yum update --security to obtain this patch. More information is available at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/install-updates.html.

     

    Amazon Elastic Kubernetes Service (Amazon EKS)

    Amazon EKS has released updated EKS-optimized Amazon Machine Images (AMIs) with the patched container runtime. More information about the EKS-optimized AMI is available at https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

    We recommend that EKS customers replace all worker nodes to use the latest EKS-optimized AMI version. Instructions on updating worker nodes are available at https://docs.aws.amazon.com/eks/latest/userguide/update-workers.html.

     

    Bottlerocket 

    Amazon has released Bottlerocket AMIs and in-place updates. Updating to the latest in-place update or replacing instances with the latest AMIs will resolve this issue. 

    If you are using the Bottlerocket Update Operator for Kubernetes, you should expect nodes to begin updating within one day and all nodes within one week. Customers can upgrade faster manually via two API calls: apiclient set updates.ignore-waves=true and apiclient update apply --check --reboot. Once updates are completed, revert to the default setting with apiclient set updates.ignore-waves=false.

     

    Amazon Linux and Amazon Linux 2 

    An updated version of runc is available for Amazon Linux 2 extras repositories (*runc-1.0.0-0.2.20210225.git12644e6.amzn2*) and Amazon Linux AMI 2018.03 repositories (*runc-1.0.0-0.2.20210225.git12644e6.3.amzn1*). AWS recommends that customers using containers in Amazon Linux update to the latest version of runc and restart any running containers.

     

    AWS Cloud9 

    An updated version of the AWS Cloud9 environment with Amazon Linux is available. By default, customers will have security patches applied on first boot. Customers who have existing EC2-based AWS Cloud9 environments should launch new instances from the latest AWS Cloud9 version. Further information is available in the Amazon Linux Security Center (https://alas.aws.amazon.com/). 

    AWS Cloud9 customers who use SSH environments that are not built with Amazon Linux should contact their operating system vendor for the updates necessary to address these issues.

     

    AWS IoT Greengrass 

    Updated AWS IoT Greengrass Core V1 binaries and Greengrass V2 Lambda Launcher will be available by June 15th as the latest versions of Greengrass. This bulletin will be updated once the patches are available.

    Greengrass uses the runC library to execute Lambda functions inside an OCI compliant container on Greengrass Core devices. The Lambda functions deployed to Greengrass Cores are provided to Greengrass via authenticated authorized cloud APIs, authenticated authorized local CLI (if enabled), or through local root access. This means that Greengrass will only deploy and execute Lambda functions that were intended, and no action is necessary as long as Lambda functions are deployed from trusted sources. As a best practice, customers should only deploy Lambdas from trusted sources.

     

    AWS Deep Learning AMI

    Updated versions of the Deep Learning Base AMI and Deep Learning AMI for Amazon Linux and Amazon Linux2 are available in the AWS EC2 console and AWS Marketplace. AWS recommends that customers who have used Docker with their Deep Learning Base AMI or Deep Learning AMI launch new instances of the latest AMI version (v35.0 or later for Deep Learning Base AMI on Amazon Linux, v38.0 or later for Deep Learning Base AMI on Amazon Linux2, v45.0 or later for Deep Learning Base AMI on Amazon Linux and Amazon Linux2). Additional information is available in the Amazon Linux Security Center.

     

    AWS Batch

    After AMI Update:
    An updated Amazon ECS Optimized AMI is available as the default Compute Environment AMI. We recommend that Batch customers replace their existing Compute Environments with the latest available AMI. Instructions for replacing the Compute Environment are available in the Batch product documentation
    (https://docs.aws.amazon.com/batch/latest/userguide/compute_environments.html#managed_compute_environments).
    Batch customers who do not use the default AMI should contact their operating system vendor for the updates necessary to address these issues. Instructions for Batch custom AMI are available in the Batch product documentation (https://docs.aws.amazon.com/batch/latest/userguide/create-batch-ami.html).

     

    AWS Elastic Beanstalk

    Updated AWS Elastic Beanstalk Docker-based platform versions are available. We recommend customers update immediately by going to the Managed Updates configuration page and clicking on the "Apply Now" button. Customers who have not enabled Managed Platform Updates can update their environment's platform version by following instructions here. Customers using Managed Platform Updates will be automatically updated to the latest platform version in their selected maintenance window with no action required. Release notes are also available.

     

  3. Resolved: Application Load Balancer Session Ticket Issue

    Initial Publication Date: 2021/04/26 10:20 AM PDT

    On April 13th, 2021, AWS became aware of an edge case that affected how some Application Load Balancers (ALB) handled key rotation for TLS/SSL session ticket encryption. This edge case was introduced in September, 2020 and resulted in a small percentage of ALB traffic intermittently using an uninitialized session ticket encryption key. The edge case was triggered primarily during quiet periods of activity. ALBs with a high variation of traffic, such as daily peaks and troughs, rarely triggered the edge case. Mitigation for the edge case began within 8 hours of discovery and was complete by April 16th, 2021. This issue has been completely resolved.

    TLS/SSL is the protocol that provides encryption in transit for HTTPS connections to ALBs. Session tickets are used to resume TLS/SSL sessions and contain an encrypted copy of the parameters used to encrypt the connection. Session tickets are primarily used when the client is a web browser. Connections that were affected by the edge case issue were encrypted and there were no outward signs of any issue. However, knowledge of the edge-case issue could theoretically be used to decrypt affected session tickets. In the very unlikely case that an affected connection was being observed, the parameters contained in an affected session ticket could be used to decrypt the connection.

    The AWS network includes existing defenses in depth against this kind of issue. As a result, ALB traffic between AWS data-centers, Availability Zones, Regions, Local Zones, and Outposts was fully protected by AWS Network encryption. ALB traffic between AWS networks and customer premises using the Amazon VPN or Amazon Direct Connect MACSEC services was also fully protected. AWS Network Load Balancers (NLBs), Classic Load Balancers (CLBs), and other Amazon Web Services were not affected by this issue.

    AWS would like to thank Simon Nachtigall, Sven Hebrok, Marcel Maehren, Robert Merget, and Juraj Somorovsky of Paderborn University and Ruhr University Bochum, Germany, for reporting this issue.

  4. Sudo Security Issue (CVE-2021-3156)

    [V2] Last Updated: 2021/01/27 1:00PM PDT

    CVE Identifier: CVE-2021-3156

    This is an update for this issue.

    AWS is aware of the security issue recently disclosed by the open source community affecting the Linux "sudo" utility (CVE-2021-3156). This issue may permit unprivileged users to run privileged commands, or cause affected hosts to crash.

    Updated versions of sudo are available in the Amazon Linux and Amazon Linux 2 package repositories. Customers with existing EC2 instances running Amazon Linux should run the following command within each EC2 instance running Amazon Linux to ensure they receive the updated package:

    sudo yum update sudo

    We have released new versions of the Amazon Linux and Amazon Linux 2 AMIs that automatically include the updated kernel. AMI IDs for images with the updated kernels can be found at Amazon Linux 2018.03 AMI IDs, Amazon Linux 2 AMI IDs, and in the AWS Systems Manager Parameter Store.

    Customers not using Amazon Linux should contact their operating system vendor for any updates or instructions necessary to mitigate any potential concerns arising from these issues. More information is available at the Amazon Linux Security Center.

    AL1: https://alas.aws.amazon.com/ALAS-2021-1478.html
    AL2: https://alas.aws.amazon.com/AL2/ALAS-2021-1590.html

    [V1] Initial Publication Date: 2021/01/26 2:11PM PDT

    CVE Identifier: CVE-2021-3156

    You are viewing a previous version of this security bulletin.

    AWS is aware of the security issue recently disclosed by the open source community affecting the Linux "sudo" utility (CVE-2021-3156). This issue may permit unprivileged users to run privileged commands. The sudo maintainers have published more information about this issue at https://www.sudo.ws/alerts/unescape_overflow.html.

    AWS infrastructure and services are not affected by this issue. As a general security best practice, we recommend that Amazon EC2 customers running Amazon Linux update their operating systems to install the latest version of sudo.

    Updated versions of sudo are available in the Amazon Linux and Amazon Linux 2 package repositories. Customers with existing EC2 instances running Amazon Linux should run the following command within each EC2 instance running Amazon Linux to ensure they receive the updated package:

    sudo yum update sudo

    Customers not using Amazon Linux should contact their operating system vendor for any updates or instructions necessary to mitigate any potential concerns arising from these issues. More information is available at the Amazon Linux Security Center.

    AL1: https://alas.aws.amazon.com/ALAS-2021-1478.html
    AL2: https://alas.aws.amazon.com/AL2/ALAS-2021-1590.html

  5. Xen Security Advisory (XSA-286)

    Initial Publication Date: 2020/10/23 5:00PM PST

    -----

    AWS is aware of Xen Security Advisories XSA-286 (https://xenbits.xen.org/xsa/advisory-286.html), XSA-331 (https://xenbits.xen.org/xsa/advisory-331.html), XSA-332 (https://xenbits.xen.org/xsa/advisory-332.html), XSA-345 (https://xenbits.xen.org/xsa/advisory-345.html), XSA-346 (https://xenbits.xen.org/xsa/advisory-346.html), and XSA-347 (https://xenbits.xen.org/xsa/advisory-347.html) released by the Xen Security team on October 20th 2020.


    Xen Security Advisory (XSA-286)

    AWS customers' data and instances running on current generation instance types are not affected by this issue, and there is no customer action required. This is because current generation instance types use hardware virtual machine (HVM) virtualization.

    However, instances using paravirtual (PV) virtualization are affected by XSA-286 (https://xenbits.xen.org/xsa/advisory-286.html), which may enable guest users to escalate their privileges to those of the guest kernel. PV AMIs are only supported on older instance types C1, C3, HS1, M1, M3, M2, and T1. The current generation of instance types do not support PV AMIs and are therefore not affected.

    AWS has been recommending that customers stop using PV instances since our security bulletin (https://aws.amazon.com/security/security-bulletins/AWS-2018-013/) in March 2018. We continue to strongly recommend that customers stop using PV AMIs immediately and use HVM instead.

    Xen Security Advisories XSA-331, XSA-332, XSA-345, XSA-346 and XSA-347

    AWS customers' data and instances are not affected by these issues and there is no customer action required.