Amazon Webservices Security Bulletins

Read our latest security bulletins here.

Reported AWS Glue Issue

13 January 2022, 9:42 pm

Initial Publication Date: 2022/01/13 13:00 PST

A security researcher recently reported an issue that allowed them to take actions as the AWS Glue service. Utilizing an AWS Glue feature, researchers obtained credentials specific to the service itself, and an AWS-internal misconfiguration permitted the researchers to use these credentials as the AWS Glue service. There is no way that this could have been used to affect customers who do not use the AWS Glue service.

No customer action is required.

AWS moved immediately to correct this issue when it was reported. Analysis of logs going back to the launch of the service have been conducted and we have conclusively determined that the only activity associated with this issue was between accounts owned by the researcher.  No other customer’s accounts were impacted. All actions taken by AWS Glue in a customer’s account are logged in CloudTrail records controlled and viewable by customers.

We would like to thank Orca Security for reporting this issue.

Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.

Reported AWS CloudFormation Issue

13 January 2022, 9:16 pm

Initial Publication Date: 2022/01/13 13:00 PST

Security researchers recently identified and reported an issue in AWS CloudFormation. Specifically, the reported issue was in the AWS CloudFormation service itself, which allowed viewing of some local configuration files on an AWS-internal host or attempted unauthenticated HTTP GET requests from the same host. The researchers utilized the HTTP GET capability to obtain a set of locally accessible credentials specific to the host. Neither the local configuration file access nor the host-specific credentials permitted access to any customer data or resources.

AWS took immediate action to correct this issue when it was reported and verified that the technique described by the researchers could not be used to access customer data or resources. Extensive log analysis has verified the researchers activity was limited to the specific AWS CloudFormation host. AWS customers were not impacted by this reported concern, and there are no customer actions required.

We would like to thank Orca Security for reporting this issue.

Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.

Between December 21, 2021 at 23:48 UTC and December 22, 2021 at 08:23 UTC, the policy used by AWS Support automated systems – AWSSupportServiceRolePolicy – inadvertently included S3:GetObject permissions. This change has been reverted. While these permissions were temporarily present, they were not and could not be used – only a tightly controlled set of AWS support systems may assume the AWSSupportService role, and these systems do not provide the capability to access S3 objects even if permission is granted to the role. Regardless, we are implementing additional safeguards to prevent the Support policy from inadvertently granting data access permissions. All changes to AWS Managed Policies are publicly visible and all access to S3 objects are recorded in S3 server access logs and CloudTrail data events.

[V6] Last Updated Date: 2021/12/17 1:50 PM PST

AWS is aware of the recently disclosed issues relating to the open-source Apache “Log4j2″ utility (CVE-2021-44228 and CVE-2021-45046).

Responding to security issues such as this one shows the value of having multiple layers of defensive technologies, which is so important to maintaining the security of our customers’ data and workloads.

We’ve taken this issue very seriously, and our world-class team of engineers has fully deployed the Amazon-developed Java hot patch available here to all AWS services. The hot patch updates the Java VM to disable the loading of the Java Naming and Directory Interface (JNDI) class, replacing it with a harmless notification message, which mitigates CVE-2021-44228 and CVE-2021-45046.  We will shortly complete our deployment of the updated Log4j library to all of our services.  More information about the Java hotpatch is available at https://aws.amazon.com/blogs/security/open-source-hotpatch-for-apache-log4j-vulnerability/.

Even with this hot patch deployed, customers should still deploy an updated Log4j library as quickly as they safely can, like we’re doing across AWS.

For more details on how to detect and remediate the Log4j CVEs using AWS services, please read our most recent blog post here.

No further service-specific updates are required after this final bulletin.

If you need additional details or assistance, please contact AWS Support.

Amazon Connect

Amazon Connect has been updated to mitigate the issues identified in CVE-2021-44228.

We recommend customers evaluate components of their environment which are outside of the Amazon Connect service boundary (such as Lambda functions that are called from contact flows) which may require separate/additional customer mitigation.

Amazon Chime

Amazon Chime SDK services have been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046.

Amazon Chime services have been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046.

Amazon EMR

CVE-2021-44228 impacts Apache Log4j versions between 2.0 and 2.14.1 when processing inputs from untrusted sources. EMR clusters launched with EMR 5 and EMR 6 releases include open source frameworks such as Apache Hive, Apache Flink, HUDI, Presto, and Trino, which use these versions of Apache Log4j. When you launch a cluster with EMR’s default configuration, it does not process inputs from untrusted sources. Many customers use the open source frameworks installed on their EMR clusters to process and log inputs from untrusted sources. Therefore, AWS recommends that you apply the solution described here.

Amazon Fraud Detector

Amazon Fraud Detector services have been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Kendra

Amazon Kendra has been updated to mitigate CVE-2021-44228.

Amazon Lex

Amazon Lex has been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Lookout for Equipment

Amazon Lookout for Equipment has been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Macie

The Amazon Macie service has been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Macie Classic

The Amazon Macie Classic service has been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Monitron

Amazon Monitron has been updated to mitigate the issues identified in CVE-2021-44228.

Amazon RDS

Amazon RDS and Amazon Aurora have been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Rekognition

Amazon Rekognition services have been updated to mitigate the issues identified in CVE-2021-44228.

Amazon VPC

Amazon VPC, including Internet Gateway and Virtual Gateway services, have been updated to mitigate the Log4j issue referenced in CVE-2021-44228.

AWS AppSync

AWS AppSync has been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046.

AWS Certificate Manager

AWS Certificate Manager services have been updated to mitigate the issues identified in CVE-2021-44228.

ACM Private CA services have been updated to mitigate the issues identified in CVE-2021-44228.

AWS Service Catalog

AWS Service Catalog has been updated to mitigate the issues identified in CVE-2021-44228.

AWS Systems Manager

AWS Systems Manager service has been updated to mitigate the issues identified in CVE-2021-44228. The Systems Manager agent itself is not affected by this issue.

[V5] Last Updated Date: 2021/12/16 3:15 PM PST

AWS is aware of the recently disclosed issues relating to the open-source Apache “Log4j2″ utility (CVE-2021-44228 and CVE-2021-45046).

Responding to security issues such as this one shows the value of having multiple layers of defensive technologies, which is so important to maintaining the security of our customers’ data and workloads. We’re taking this issue very seriously, and our world-class team of engineers has been working around the clock on our response and remediation. We expect to rapidly restore our full state of defense in depth.

One of the technologies we’ve developed and deployed extensively inside AWS is a hot patch for applications that may include Log4j. This hot patch updates the Java VM to disable the loading of the Java Naming and Directory Interface (JNDI) class, replacing it with a harmless notification message, which is an effective mitigation of CVE-2021-44228 and CVE-2021-45046.

We’ve also made this available as an open-source solution, which is available here.

Even with this hot patch deployed, customers should still deploy an updated Log4j library as quickly as they safely can.

For more details on how to detect and remediate the Log4j CVEs using AWS services, please read our most recent blog post here.

Additional service-specific information is provided below. If you need additional details or assistance, please contact AWS Support.

Amazon EKS, Amazon ECS, and AWS Fargate

To help mitigate the impact of the open-source Apache “Log4j2″ utility (CVE-2021-44228 and CVE-2021-45046) security issues on customers’ containers, Amazon EKS, Amazon ECS, and AWS Fargate are deploying a Linux-based update (hot-patch). This hot-patch will require customer opt-in to use, and disables JNDI lookups from the Log4J2 library in customers’ containers. These updates are available as an Amazon Linux package for Amazon ECS customers, as a DaemonSet for Kubernetes users on AWS, and will be in supported AWS Fargate platform versions.

Customers running Java-based applications on Windows containers are advised to follow Microsoft’s guidance here.

Amazon ECR Public and Amazon ECR

Amazon-owned images published under a Verified Account on Amazon ECR Public are not affected by the issue described in CVE-2021-4422. For customer-owned images on Amazon ECR, AWS offers Enhanced Scanning with Amazon Inspector, which is designed to continually scan container images for known security issues, including container images containing CVE-2021-44228. Findings are reported in the Inspector and ECR consoles. Inspector includes a free 15-day trial with free container image scanning for accounts new to Inspector. For customers consuming images in ECR Public from third party publishers, customers can use the recently launched Pull Through Cache feature of ECR to copy those images from ECR Public into their ECR registry and use Inspector scanning to detect security issues.

Amazon Cognito

Amazon Cognito services have been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Pinpoint

Amazon Pinpoint services have been updated to mitigate the issues identified in CVE-2021-44228.

Amazon EventBridge

Amazon EventBridge has been updated to mitigate the issues identified in CVE-2021-44228.

Elastic Load Balancing

Elastic Load Balancing services have been updated to mitigate the issues identified in CVE-2021-44228. All Elastic Load Balancers, as well as Classic, Application, Network and Gateway, are not written in Java and therefore were not affected by this issue.

AWS CodePipeline

AWS CodePipeline has been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046.

AWS CodeBuild

AWS CodeBuild has been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046.

Amazon Route53

Route 53 has been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Linux

Amazon Linux 1 (AL1) and Amazon Linux 2 (AL2) by default use a log4j version that is not affected by CVE-2021-44228 or CVE-2021-45046. A new version of the Amazon Kinesis Agent which is part of AL2 addresses CVE-2021-44228 and CVE-2021-45046. Additionally, to help customers that bring in their own log4j code, Amazon Linux has released a new package that includes the Hotpatch for Apache log4j. More details can be found here.

Amazon SageMaker

Amazon SageMaker completed patching for the Apache Log4j2 issue (CVE-2021-44228) on December 15, 2021.

We continue to recommend that our customers take action to update all their applications and services by patching for known issues like this one. Customers who are recommended to take action on this issue received detailed instructions via PHD. Even if you are not affected by the Log4j issue, we recommend that you restart your job or update your app to use the latest version of our software.

Amazon Athena

Amazon Athena has been updated to mitigate the issues identified in CVE-2021-44228. All versions of the Amazon Athena JDBC driver vended to customers were not affected by this issue.

AWS Certificate Manager

AWS Certificate Manager services have been updated to mitigate the issues identified in CVE-2021-44228.

ACM Private CA services have been updated to mitigate the issues identified in CVE-2021-44228.

Amazon AppFlow

Amazon AppFlow has been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Polly

Amazon Polly has been updated to mitigate the issues identified in CVE-2021-44228.

Amazon QuickSight

Amazon QuickSight has been updated to mitigate the issues identified in CVE-2021-44228.

AWS Textract

AWS Textract services have been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Corretto

The latest Amazon Corretto released October 19th is not affected by CVE-2021-44228 since the Corretto distribution does not include Log4j. We recommend that customers update to the latest version of Log4j in all of their applications that use it, including direct dependencies, indirect dependencies, and shaded jars.
 

[V4] Last Updated Date: 2021/12/15 3:30 PM PST

AWS is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2″ utility (CVE-2021-44228).

Responding to security issues such as this one shows the value of having multiple layers of defensive technologies, which is so important to maintaining the security of our customers’ data and workloads. We’re taking this issue very seriously, and our world-class team of engineers has been working around the clock on our response and remediation. We expect to rapidly restore our full state of defense in depth.

One of the technologies we’ve developed and deployed is a hot patch for applications that may include Log4j. We’ve also made this available as an open-source solution, which is available here.

Even with this hot patch deployed, customers should still plan on deploying an updated Log4j library as quickly as they safely can.

Additional service-specific information is provided below. If you need additional details or assistance, please contact AWS Support.

Amazon Kinesis

A new version of the Kinesis Agent, which addresses the recently disclosed Apache Log4j2 library issue (CVE-2021-44228), is available here.

Amazon Inspector

The Amazon Inspector service is patched against the Log4j issue.

The Inspector service helps detect CVE-2021-44228 (Log4Shell) issues within customer EC2 workloads and ECR images. Detections are currently available for impacted operating system level packages on Linux. These include, but are not limited to, apache-log4j2 and liblog4j2-java for Debian; log4j, log4jmanual and log4j12 for SUSE; and Elasticsearch for Alpine, Centos, Debian, Red Hat, SUSE and Ubuntu. Additional detections will be added as further impacts are identified by respective distribution security teams. Inspector decomposes Java archives stored within ECR images and generates findings for impacted packages or applications. These findings will be identified in the Inspector console under “CVE-2021-44228” or “IN1-JAVA-ORGAPACHELOGGINGLOG4J-2314720 – org.apache.logging.log4j:log4j-core”.

Amazon Inspector Classic

The Amazon Inspector service is patched against the Log4j issue.

The Inspector Classic service helps detect CVE-2021-44228 (Log4Shell) issues within customer EC2 workloads. Detections for CVE-2021-44228 (Log4Shell) are currently available for impacted operating system level packages on Linux. These include, but are not limited to, apache-log4j2 and liblog4j2-java for Debian; log4j, log4jmanual and log4j12 for SUSE; and Elasticsearch for Alpine, Centos, Debian, Red Hat, SUSE and Ubuntu.

Amazon WorkSpaces/AppStream 2.0

Amazon WorkSpaces and AppStream 2.0 are not affected by CVE-2021-44228 with default configurations. The default Amazon Linux 2 images of WorkSpaces and AppStream do not contain Log4j, and the versions of Log4j available in the Amazon Linux 2 default package repositories are not affected by CVE-2021-44228. However, if you have deployed the WorkDocs Sync client to Windows WorkSpaces, please take the actions recommended below.

Windows WorkSpaces by default do not have WorkDocs Sync installed. However, WorkSpaces used to have a default desktop shortcut to the WorkDocs Sync client installer before June 2021. The WorkDocs Sync client version 1.2.895.1 (and older) contains the Log4j component. If you have deployed the old WorkDocs Sync client versions to WorkSpaces, please restart the Sync client on WorkSpaces via management tools like SCCM, or instruct your WorkSpaces users to manually open the Sync client – “Amazon WorkDocs” from the list of installed programs. At launch, the Sync client would auto-update to the latest version 1.2.905.1 that is not affected by CVE-2021-44228. Workdocs Drive and Workdocs Companion applications are not affected by the issue.

Amazon Timestream

Amazon Timestream has been updated to mitigate the issues identified in CVE-2021-44228.

Amazon DocumentDB

As of December 13, 2021, Amazon DocumentDB has been patched to mitigate the Log4j issue referenced in CVE-2021-44228.

Amazon CloudWatch

Amazon CloudWatch services have been updated to mitigate the issues identified in CVE-2021-44228.

AWS Secrets Manager

AWS Secrets Manager has been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Single Sign-On

Amazon Single Sign-On services have been updated to mitigate the issues identified in CVE-2021-44228.

Amazon RDS Oracle

Amazon RDS Oracle has updated the version of Log4j2 in use within the service. Access to RDS instances continues to be restricted by your VPCs and other security controls such as security groups and network access control lists (ACL). We strongly encourage you to review these settings to ensure proper access management to your RDS instances.

Per Oracle Support document 2827611.1, the Oracle database itself is not affected by this issue.

Amazon Cloud Directory

Amazon Cloud Directory has been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Simple Queue Service (SQS)

Amazon Simple Queue Service (SQS) completed patching for the Apache Log4j2 issue (CVE-2021-44228) for SQS’s data ingress and egress on December 13, 2021. We have also completed patching all other SQS systems that used Log4j2.

AWS KMS

AWS KMS has been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Redshift

Amazon Redshift clusters have been automatically updated to mitigate the issues identified in CVE-2021-44228.

AWS Lambda

AWS Lambda does not include Log4j2 in its managed runtimes or base container images. These are therefore not affected by the issue described in CVE-2021-44228 and CVE-2021-45046.

For cases where a customer function includes an impacted Log4j2 version, we have applied a change to the Lambda Java managed runtimes and base container images (Java 8, Java 8 on AL2, and Java 11) that helps to mitigate the issues in CVE-2021-44228 and CVE-2021-45046. Customers using managed runtimes will have the change applied automatically. Customers using container images will need to rebuild from the latest base container image, and redeploy.

Independent of this change, we strongly encourage all customers whose functions include Log4j2 to update to the latest version. Specifically, customers using the aws-lambda-java-log4j2 library in their functions should update to version 1.4.0 and redeploy their functions. This version updates the underlying Log4j2 utility dependencies to version 2.16.0. The updated aws-lambda-java-log4j2 binary is available at the Maven repository and its source code is available in Github.

[V3] Last Updated Date: 2021/12/14 2:45 PM PST

AWS is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2″ utility (CVE-2021-44228).

Responding to security issues such as this one show the value of having multiple layers of defensive technologies, which is so important to maintaining the security of our customers data and workloads. We’re taking this issue very seriously, and our world-class team of engineers has been working around the clock on our response and remediation. We expect to rapidly restore our full state of defense in depth.

We continue to recommend that our customers take action to update all their applications and services by patching for known issues like this one and continue to follow our well architected guidance.

Additional service-specific information is provided below. If you need additional details or assistance, please contact AWS Support.

Amazon API Gateway

As of December 13, 2021, all Amazon API Gateway hosts have been patched to mitigate the Log4j issue referenced in CVE-2021-44228.

Amazon CloudFront

Amazon CloudFront services have been updated to mitigate the issues identified in CVE-2021-44228. The CloudFront request handling services that run in our POPs are not written in Java and therefore were not affected by this issue.

Amazon Connect

Amazon Connect services have been updated to mitigate the issues identified in CVE-2021-44228.

Amazon DynamoDB

Amazon DynamoDB and Amazon DynamoDB Accelerator (DAX) have been updated to mitigate the issues identified in CVE-2021-44228.

Amazon EC2

The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228. More information about security-related software updates for Amazon Linux is available at the Amazon Linux Security Center.

Amazon ElastiCache

Amazon ElastiCache’s Redis engine does not include Log4j2 in its managed runtimes or base container images. Amazon ElastiCache completed patching the Apache Log4j2 issue (CVE-2021-44228) on December 12, 2021.

Amazon EMR

CVE-2021-44228 impacts Apache Log4j versions between 2.0 and 2.14.1 when processing inputs from untrusted sources. EMR clusters launched with EMR 5 and EMR 6 releases include open source frameworks such as Apache Hive, Apache Flink, HUDI, Presto, and Trino, which use these versions of Apache Log4j. When you launch a cluster with EMR’s default configuration, it does not process inputs from untrusted sources.

We are actively working on building an update that mitigates the issue discussed in CVE-2021-44228 when open source frameworks installed on your EMR cluster process information from untrusted sources.

AWS IoT SiteWise Edge

Updates for all AWS IoT SiteWise Edge components that use Log4j were made available for deployment on 12/13/2021. These components are: OPC-UA collector (v2.0.3), Data processing pack (v2.0.14), and Publisher (v2.0.2). AWS recommends that customers who are using these components deploy the latest versions to their SiteWise Edge gateways.

Amazon Keyspaces (for Apache Cassandra)

Amazon Keyspaces (for Apache Cassandra) has been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Kinesis Data Analytics

The versions of Apache Flink supported by Amazon Kinesis Data Analytics include Apache Log4j versions between 2.0 and 2.14.1. Kinesis Data Analytics applications operate in single-tenant, isolated environments and cannot interact with one another.

We are updating the version of Log4j available to Kinesis Data Analytics customer applications in all AWS regions. Applications started or updated after 6:30 PM PST on 12/12/2021 will automatically receive the updated patch. Customers whose applications were started or updated before then can ensure that their applications run on the updated version of Log4j by calling the Kinesis Data Analytics UpdateApplication API. More information about the UpdateApplication API is available within the service’s documentation.

Amazon Kinesis Data Streams

We are actively patching all sub-systems that use Log4j2 by applying updates. The Kinesis Client Library (KCL) version 2.X and the Kinesis Producer Library (KPL) are not impacted. For customers using KCL 1.x, we have released an updated version and we strongly recommend that all KCL version 1.x customers upgrade to KCL version 1.14.5 (or higher) which is available here.

Amazon Managed Streaming for Apache Kafka (MSK)

We are aware of the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library and are applying updates as required. Please note that the builds of Apache Kafka and Apache Zookeeper offered in MSK currently use Log4j 1.2.17, which is not affected by this issue. Some MSK-specific service components use Log4j > 2.0.0 library and are being patched where needed.

Amazon Managed Workflows for Apache Airflow (MWAA)

MWAA has two areas of consideration regarding the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library: Amazon MWAA service code (AWS specific) and open source code (Apache Airflow).

As of Dec 14, 2021, we have completed all required updates to the MWAA service code to address the issue. Apache Airflow does not use Log4j2 and is not affected by this issue.

We strongly encourage customers who have added Log4j2 to their environments to update to the latest version.

Amazon MemoryDB for Redis

Amazon MemoryDB for Redis completed patching the Apache Log4j2 issue (CVE-2021-44228) on December 12, 2021.

Amazon MQ

Amazon MQ has two areas of consideration regarding the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library: Amazon MQ service code (AWS specific) and open source code (Apache ActiveMQ and RabbitMQ message brokers).

As of Dec 13, 2021, we have completed all required updates to the Amazon MQ service code to address the issue.
There are no updates required to the open source message brokers. All versions of Apache ActiveMQ offered in Amazon MQ use Log4j version 1.2.x, which is not affected by this issue. RabbitMQ does not use Log4j and is not affected by this issue.

Amazon Neptune

All active Amazon Neptune clusters have been automatically updated to mitigate the issues identified in CVE-2021-44228.

Amazon OpenSearch Service

Amazon OpenSearch Service has released a critical service software update, R20211203-P2, that contains an updated version of Log4j2 in all regions. We strongly recommend that customers update their OpenSearch clusters to this release as soon as possible.

Amazon RDS

Amazon RDS and Amazon Aurora are actively addressing all service usage of Log4j2 by applying updates. RDS-built relational database engines do not include the Apache Log4j2 library. Where upstream vendors are involved, we are applying their recommended mitigation. Customers may observe intermittent events during update of internal components.

Amazon S3

Amazon S3 completed patching for the Apache Log4j2 issue (CVE-2021-44228) for S3’s data ingress and egress on December 11, 2021. We have also completed patching all other S3 systems that used Log4j2.

Amazon Simple Notification Service (SNS)

Amazon SNS systems that serve customer traffic are patched against the Log4j2 issue. We are working to apply the Log4j2 patch to sub-systems that operate separately from SNS’s systems that serve customer traffic.

Amazon Simple Workflow Service (SWF)

Amazon Simple Workflow Service (SWF) has been updated to mitigate the issues identified in CVE-2021-44228.

AWS CloudHSM

AWS CloudHSM JCE SDK versions earlier than 3.4.1 include a version of Apache Log4j affected by this issue. On December 10, 2021, CloudHSM released JCE SDK v3.4.1 with a fixed version of Apache Log4j. If you use CloudHSM JCE versions earlier than 3.4.1, you may be impacted and should mitigate the issue by upgrading the CloudHSM JCE SDK to version 3.4.1 or higher.

AWS Elastic Beanstalk

AWS Elastic Beanstalk installs Log4j from the Amazon Linux default package repositories in its Tomcat platforms for Amazon Linux 1 and Amazon Linux 2. The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228.

If you have made configuration changes to your application’s use of Log4j, then we recommend that you take action to update your application’s code to mitigate this issue.

In accordance with our normal practices, if patched versions of these default package repository versions are released, Elastic Beanstalk will include the patched version in the next Tomcat platform version release for Amazon Linux 1 and Amazon Linux 2.

More information about security-related software updates for Amazon Linux is available at the Amazon Linux Security Center.

AWS Glue

AWS Glue is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2″ utility (CVE-2021-44228). We have updated our control plane fleet that serves AWS Glue APIs for all supported Glue versions.

AWS Glue creates a new Spark environment that is isolated at the network and management level from all other Spark environments inside the AWS Glue service account. Your ETL jobs are executed on a single tenant environment. If you have uploaded a custom jar file for use in your ETL jobs or Development Endpoints which includes a specific version of Apache Log4j, then you are advised to update your jar to use the latest version of Apache Log4j.

AWS Glue is also proactively applying the updates to new Spark environments across all supported regions. If you have questions or would like additional assistance, please contact AWS Support.

AWS Greengrass

Updates for all AWS Greengrass V2 components that use Log4j are available for deployment as of 12/10/2021. These components are: Stream Manager (2.0.14) and Secure Tunneling (1.0.6). AWS recommends that customers who are using these Greengrass components deploy the latest versions to their devices.

The Stream Manager feature of Greengrass versions 1.10.x and 1.11.x uses Log4j. An update for the Stream Manager feature is included in Greengrass patch versions 1.10.5 and 1.11.5, which are both available as of 12/12/2021. We strongly recommend that customers on versions 1.10.x and 1.11.x who have Stream Manager enabled on their devices (or may enable it in the future) update their devices to the latest versions.

AWS Lake Formation

AWS Lake Formation service hosts are being updated to the latest version of Log4j to address the issue with versions referenced in CVE-2021-44228.

AWS Lambda

AWS Lambda does not include Log4j2 in its managed runtimes or base container images. These are therefore not affected by the issue described in CVE-2021-44228. Customers using the aws-lambda-java-log4j2 library in their functions will need to update to version 1.3.0 and redeploy.

AWS SDK

The AWS SDK for Java uses a logging facade, and does not have a runtime dependency on Log4j. We do not currently believe any AWS SDK for Java changes need to be made regarding this issue.

AWS Step Functions

AWS Step Functions has been updated to mitigate the issues identified in CVE-2021-44228.

AWS Web Application Firewall (WAF)

To improve detection and mitigation relating to the recent Log4j security issue, customers of CloudFront, Application Load Balancer (ALB), API Gateway, and AppSync can optionally enable AWS WAF and apply two AWS Managed Rules (AMR): AWSManagedRulesKnownBadInputsRuleSet and AWSManagedRulesAnonymousIpList.

AWSManagedRulesKnownBadInputsRuleSet inspects request uri, body, and commonly used headers, while AWSManagedRulesAnonymousIpList helps block requests from services that allow the obfuscation of viewer identity. You can apply these rules by creating an AWS WAF web ACL, adding one or both rulesets to your web ACL, and then associating the web ACL with your CloudFront distribution, ALB, API Gateway or AppSync GraphQL APIs.

We continue to iterate the AWSManagedRulesKnownBadInputsRuleSet Rule Group as we learn more. To receive automatic updates to the AWSManagedRulesKnownBadInputsRuleSet, please choose the default version. For customers using AWS WAF Classic, you will need to migrate to AWS WAF or create custom regex match conditions. Customers can use AWS Firewall Manager which enables you to configure AWS WAF rules across multiple AWS accounts and resources from a single place. You can group rules, build policies, and centrally apply those policies across your entire infrastructure.

NICE

Due to a CVE in the Apache Log4j library, included in EnginFrame from version 2020.0 to 2021.0-r1307, NICE recommends that you upgrade to the latest EnginFrame version, or update the Log4j library in your EnginFrame installation following the instructions on the support website.

Please feel free to contact us.

[V2] Last Updated Date:2021/12/13 1:42 PM PDT

AWS is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2″ utility (CVE-2021-44228). We are actively monitoring this issue, and are working on addressing it for any AWS services which either use Log4j2 or provide it to customers as part of their service.

We strongly encourage customers who manage environments containing Log4j2 to update to the latest version, or their operating system’s software update mechanism. Additional service-specific information is below.

If you need additional details or assistance, please contact AWS Support.

S3

S3 completed patching for the Apache Log4j2 issue (CVE-2021-44228) for S3’s data ingress and egress on December 11, 2021. We have also completed patching all other S3 systems that used Log4j2.

Amazon OpenSearch

Amazon OpenSearch Service is deploying a service software update, version R20211203-P2, which contains an updated version of Log4j2. We will notify customers as the update becomes available in their regions, and update this bulletin once it is available worldwide.

AWS Lambda

AWS Lambda does not include Log4j2 in its managed runtimes or base container images. These are therefore not affected by the issue described in CVE-2021-44228. Customers using the aws-lambda-java-log4j2 library in their functions will need to update to version 1.3.0 and redeploy.

AWS CloudHSM

CloudHSM JCE SDK versions earlier than 3.4.1 include a version of Apache Log4j affected by this issue. On December 10, 2021, CloudHSM released JCE SDK v3.4.1 with a fixed version of Apache Log4j. If you use CloudHSM JCE versions earlier than 3.4.1, you may be impacted and should mitigate the issue by upgrading CloudHSM JCE SDK to version 3.4.1 or higher.

Amazon EC2

The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228. More information about security-related software updates for Amazon Linux is available at the Amazon Linux Security Center

API Gateway

We are updating API Gateway to use a version of Log4j2 that mitigates the issue. You may observe periodic latency increases for some APIs during these updates.

AWS Greengrass

Updates for all Greengrass V2 components that use Log4j are available for deployment as of 12/10/2021. These components are: Stream Manager (2.0.14) and Secure Tunneling (1.0.6). AWS recommends that customers who are using these Greengrass components deploy the latest versions to their devices.

The Stream Manager feature of Greengrass versions 1.10.x and 1.11.x uses Log4j. An update for the Stream Manager feature is included in Greengrass patch versions 1.10.5 and 1.11.5, which are both available as of 12/12/2021. We strongly recommend that customers on versions 1.10.x and 1.11.x who have Stream Manager enabled on their devices (or may enable it in the future) update their devices to the latest versions.

CloudFront

CloudFront services have been updated to mitigate the issues identified in CVE-2021-44228. The CloudFront request handling services that run in our POPs are not written in Java and therefore were not affected by this issue.

Elastic BeanStalk

AWS Elastic Beanstalk installs Log4j from the Amazon Linux default package repositories in its Tomcat platforms for Amazon Linux 1 and Amazon Linux 2. The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228.

If you have made configuration changes to your application’s use of Log4j, then we recommend that you take action to update your application’s code to mitigate this issue.

In accordance with our normal practices, if patched versions of these default package repository versions are released, Elastic Beanstalk will include the patched version in the next Tomcat platform version release for Amazon Linux 1 and Amazon Linux 2.

 More information about security-related software updates for Amazon Linux is available at the Amazon Linux Security Center

EMR

CVE-2021-44228 impacts Apache Log4j versions between 2.0 and 2.14.1 when processing inputs from untrusted sources. EMR clusters launched with EMR 5 and EMR 6 releases include open source frameworks such as Apache Hive, Flink, HUDI, Presto, and Trino, which use these versions of Apache Log4j. When you launch a cluster with EMR’s default configuration, it does not process inputs from untrusted sources.

We are actively working on building an update that mitigates the issue discussed in CVE-2021-44228 when open source frameworks installed on your EMR cluster process information from untrusted sources.

Lake Formation

Lake Formation service hosts are being proactively updated to the latest version of Log4j to address the security issue with versions referenced in CVE-2021-44228.

AWS SDK

The AWS SDK for Java uses a logging facade, and does not have a runtime dependency on log4j. We do not currently believe any AWS SDK for Java changes need to be made regarding this issue.

AMS

We are actively monitoring this issue, and are working on addressing it for any AMS services which use Log4j2. We strongly encourage customers who manage environments containing Log4j2 to update to the latest version, or by using their operating system’s software update mechanism.

Amazon Neptune

Amazon Neptune includes the Apache Log4j2 library as a peripheral component, but the issue is not believed to impact Neptune users. Out of an abundance of caution, Neptune clusters will be automatically updated to use a version of Log4j2 that addresses the issue. Customers may observe intermittent events during update.

NICE

Due to a CVE in the Apache Log4j library, included in EnginFrame from version 2020.0 to 2021.0-r1307, NICE recommends that you upgrade to the latest EnginFrame version, or update the Log4j library in your EnginFrame installation following the instructions on the support website.

Please feel free to contact us.

Kafka

Managed Streaming for Apache Kafka is aware of the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library and are applying updates as required. Please note that the builds of Apache Kafka and Apache Zookeeper offered in MSK currently use log4j 1.2.17, which is not affected by this issue. Some MSK-specific service components use log4j > 2.0.0 library and are being patched where needed.

AWS Glue

AWS Glue is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2″ utility (CVE-2021-44228). We have updated our control plane fleet that serves AWS Glue APIs for all supported Glue versions.

​AWS Glue creates a new Spark environment that is isolated at the network and management level from all other Spark environments inside the AWS Glue service account. Your ETL jobs are executed on a single tenant environment. If your ETL jobs load a specific version of Apache Log4j, then you are advised to update your scripts to use the latest version of Apache Log4j. If you use AWS Glue development endpoints to author your scripts, then you are advised to update the Log4j version you use there as well.

​AWS Glue is also proactively applying the updates to new Spark environment across all supported regions. If you have questions or would like additional assistance, please contact us through AWS Support.

RDS

Amazon RDS and Amazon Aurora are actively addressing all service usage of Log4j2 by applying updates. RDS-built relational database engines do not include the Apache Log4j library. Where upstream vendors are involved, we are applying their recommended mitigation. Customers may observe intermittent events during update of internal components.

Amazon Connect

Amazon Connect services have been updated to mitigate the issues identified in CVE-2021-44228.

Amazon DynamoDB 

Amazon DynamoDB and Amazon DynamoDB Accelerator (DAX) have been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Keyspaces (for Apache Cassandra)

Amazon Keyspaces (for Apache Cassandra) has been updated to mitigate the issues identified in CVE-2021-44228.

Amazon MQ

Amazon MQ has two areas of consideration regarding the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library: Amazon MQ service code (AWS specific) and open source code (Apache ActiveMQ and RabbitMQ message brokers).

As of Dec 13, 2021, we have completed all required updates to the Amazon MQ service code to address the issue.

There are no updates required to the open source message brokers. All versions of Apache ActiveMQ offered in Amazon MQ use Log4j version 1.2.x, which is not affected by this issue. RabbitMQ does not use Log4j and is not affected by this issue.

Kinesis Data Analytics

The versions of Apache Flink supported by Kinesis Data Analytics include Apache Log4j versions between 2.0 and 2.14.1. Kinesis Data Analytics applications operate in single-tenant, isolated environments and cannot interact with one another.

We are updating the version of Log4j available to Kinesis Data Analytics customer applications in all AWS regions. Applications started or updated after 6:30 PM PST on 12/12/2021 will automatically receive the updated patch. Customers whose applications were started or updated before then can ensure that their applications run on the updated version of Log4j by calling the Kinesis Data Analytics UpdateApplication API. Please see more information about the UpdateApplication API.

[V1] Last Updated Date: 2021/12/12 9:40 PM PST

AWS is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2″ utility (CVE-2021-44228). We are actively monitoring this issue, and are working on addressing it for any AWS services which either use Log4j2 or provide it to customers as part of their service.

We strongly encourage customers who manage environments containing Log4j2 to update to the latest version, or their operating system’s software update mechanism.

It has been reported that using Log4j2 on JDKs after 8u121 or 8u191 (including JDK 11 and later) mitigates the issue, but this is only a partial mitigation. The only comprehensive solution is to upgrade Log4j2 to 2.15, and Log4j2 versions older than 2.15 should be considered affected regardless of the JDK distribution or version used.

Additional service-specific information is below.

If you need additional details or assistance, please contact AWS Support.

API Gateway

We are updating API Gateway to use a version of Log4j2 that mitigates the issue. You may observe periodic latency increases for some APIs during these updates.

AWS Greengrass

Updates for all Greengrass V2 components that use Apache Log4j2 are available for deployment since 12/10/2021. These components are: Stream Manager (2.0.14) and Secure Tunneling (1.0.6). AWS recommends that customers who are using these Greengrass components deploy the latest versions to their devices.

Updates for Greengrass versions 1.10 and 1.11 are expected to be available by 12/17/2021. Customers who use Stream Manager on these devices are recommended to update their devices as soon as the Greengrass binaries are made available for these versions. In the meantime, customers should verify that their custom lambda code using Stream Manager on Greengrass 1.10 or 1.11 does not use arbitrary stream names and file names (for the S3 exporter) outside of the customer’s control, e.g. a stream name or file name containing the text “${“.

Amazon MQ

Amazon MQ has 2 areas of consideration regarding the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library: Amazon MQ service code (AWS specific) and open source code (Apache ActiveMQ and RabbitMQ message brokers).

We are applying required updates to the Amazon MQ service code to address the issue.

There are no updates required to the open source message brokers. All versions of Apache ActiveMQ offered in Amazon MQ use Log4j version 1.x, which is not affected by this issue. RabbitMQ does not use Log4j2 and is not affected by this issue.

CloudFront

CloudFront services have been updated to mitigate the issues identified in CVE-2021-44228. The CloudFront request handling services that run in our POPs are not written in Java and therefore were not affected by this issue.

AWS Elastic Beanstalk

AWS Elastic Beanstalk installs Log4j from the Amazon Linux default package repositories in its Tomcat platforms for Amazon Linux 1 and Amazon Linux 2. The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228.

If you have made configuration changes to your application’s use of Log4j, then we recommend that you take action to update your application’s code to mitigate this issue.

In accordance with our normal practices, if patched versions of these default package repository versions are released, Elastic Beanstalk will include the patched version in the next Tomcat platform version release for Amazon Linux 1 and Amazon Linux 2.

More information about security-related software updates for Amazon Linux is available at the Amazon Linux Security Center.

EMR

CVE-2021-44228 impacts Apache Log4j versions between 2.0 and 2.14.1 when processing inputs from untrusted sources. EMR clusters launched with EMR 5 and EMR 6 releases include open source frameworks such as Apache Hive, Flink, HUDI, Presto, and Trino, which use these versions of Apache Log4j. When you launch a cluster with EMR’s default configuration, it does not process inputs from untrusted sources.

We are actively working on building an update that mitigates the issue discussed in CVE-2021-44228 when open source frameworks installed on your EMR cluster process information from untrusted sources.

Lake Formation

Lake Formation service hosts are being proactively updated to the latest version of Log4j to address the issue with versions referenced in CVE-2021-44228.

S3

S3’s data ingress and egress is patched against the Log4j2 issue. We are working to apply the Log4j2 patch to the S3 systems that operate separately from S3’s data ingress and egress.

AWS SDK

The AWS SDK for Java uses a logging facade, and does not have a runtime dependency on Log4j. We do not currently believe any AWS SDK for Java changes need to be made regarding this issue.

AMS

We are actively monitoring this issue, and are working on addressing it for any AMS services that use Log4j2. We strongly encourage customers who manage environments containing Log4j2 to update to the latest version, or by using their operating system’s software update mechanism.

AMS recommends deploying a Web Application Firewall (WAF) for all Internet-accessible application endpoints. The AWS WAF service can be configured to provide an additional layer of defense against this issue by deploying the AWSManagedRulesAnonymousIpList rule-set (which contains rules to block sources known to anonymize client information, like TOR nodes) and the AWSManagedRulesKnownBadInputsRuleSet rule-set (which which inspects URI, request body, and commonly used headers to help block requests related to Log4j and other issues).

AMS will continue to monitor this issue and provide additional details and recommendations as they become available.

Amazon Neptune

Amazon Neptune includes the Apache Log4j2 library as a peripheral component, but the issue is not believed to impact Neptune users. Out of an abundance of caution, Neptune clusters will be automatically updated to use a version of Log4j2 that addresses the issue. Customers may observe intermittent events during update.

NICE

Due to a CVE in the Apache Log4j library included in EnginFrame from version 2020.0 to 2021.0-r1307, NICE recommends that you upgrade to the latest EnginFrame version, or update the Log4j library in your EnginFrame installation following the instructions on the support website.

Please feel free to contact us.

Kafka

Managed Streaming for Apache Kafka is aware of the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library and are applying updates as required. Please note that the builds of Apache Kafka and Apache Zookeeper offered in MSK currently use Log4j 1.2.17, which is not affected by this issue. Some MSK-specific service components use Log4j > 2.0.0 library and are being patched where needed.

AWS Glue

AWS Glue is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2″ utility (CVE-2021-44228). We have updated our control plane fleet that serves AWS Glue APIs for all supported Glue versions.

AWS Glue creates a new Spark environment that is isolated at the network and management level from all other Spark environments inside the AWS Glue service account. Your ETL jobs are executed on a single tenant environment. If your ETL jobs load a specific version of Apache Log4j, then you are advised to update your scripts to use the latest version of Apache Log4j. If you use AWS Glue development endpoints to author your scripts, then you are advised update the Log4j version you use there as well.

AWS Glue is also proactively applying the updates to new Spark environment across all supported regions. If you have questions or would like additional assistance, please contact us through the AWS Support.

RDS

Amazon RDS and Amazon Aurora are actively addressing all service usage of Log4j2 by applying updates. RDS-built relational database engines do not include the Apache Log4j library. Where upstream vendors are involved, we are applying their recommended mitigation. Customers may observe intermittent events during update of internal components.

OpenSearch

Amazon OpenSearch Service is deploying a service software update, version R20211203-P2, which contains an updated version of Log4j2. We will notify customers as the update becomes available in their regions, and update this bulletin once it is available worldwide.

Initial Publication Date: 2021/12/10 7:20 PM PDT

All updates to this issue have moved here.

AWS is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2″ utility (CVE-2021-44228). We are actively monitoring this issue, and are working on addressing it for any AWS services which either use Log4j2 or provide it to customers as part of their service.

We strongly encourage customers who manage environments containing Log4j2 to update to the latest version, available at: https://logging.apache.org/log4j/2.x/download.html or their operating system’s software update mechanism. Additional service-specific information is below.

If you need additional details or assistance, please contact AWS Support.

Amazon EC2

The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228. More information about security-related software updates for Amazon Linux is available at: https://alas.aws.amazon.com.

AWS WAF / Shield

To improve detection and mitigation of risks arising from the recent Log4j security issue, we have updated the AWSManagedRulesKnownBadInputsRuleSet AMR in the AWS WAF service. Customers of CloudFront, Application Load Balancer (ALB), API Gateway, and AppSync can immediately take advantage of this mitigation option, which inspects uri, request body, and commonly used headers to add an additional layer of defense, by creating an AWS WAF web ACL, adding the AWSManagedRulesKnownBadInputsRuleSet to your web ACL, and then associating the web ACL with your CloudFront distribution, ALB, API Gateway or AppSync GraphQL APIs.

More information on getting started with AWS WAF is available here: https://docs.aws.amazon.com/waf/latest/developerguide/getting-started.html

Additional documentation for enabling AMRs is available here: https://docs.aws.amazon.com/waf/latest/developerguide/waf-using-managed-rule-groups.html

Please note that AMRs are not available in WAF Classic, so please upgrade to AWS WAF (wafv2) to take advantage of this mitigation option.

Amazon OpenSearch

We are updating all Amazon OpenSearch Service domains to use a version of “Log4j2” that addresses the issue. You may observe intermittent activity on your domains during the update process.

AWS Lambda

AWS Lambda does not include Log4j2 in its managed runtimes or base container images. These are therefore not affected by the issue described in CVE-2021-44228. Customers using the aws-lambda-java-log4j2 (https://repo1.maven.org/maven2/com/amazonaws/aws-lambda-java-log4j2/) library in their functions will need to update to version 1.3.0 and redeploy.

AWS CloudHSM

CloudHSM JCE SDK versions earlier than 3.4.1 include a version of Apache Log4j affected by this issue. On December 10, 2021, CloudHSM released JCE SDK v3.4.1 with a fixed version of Apache Log4j. If you use CloudHSM JCE versions earlier than 3.4.1, you may be impacted and should remediate by upgrading CloudHSM JCE SDK to version 3.4.1 or higher [1].
[1] https://docs.aws.amazon.com/cloudhsm/latest/userguide/java-library-install.html

 

 

 

[V2] Last Updated: 2021/06/16 1:20 PM PDT

This is an update for this issue.

Binaries of AWS IoT Greengrass Core V1 (1.10.4 and 1.11.3) with patched runC are now available for download (https://docs.aws.amazon.com/greengrass/v1/developerguide/what-is-gg.html). An updated Greengrass V2 Lambda Launcher v2.0.6 (https://docs.aws.amazon.com/greengrass/v2/developerguide/lambda-launcher-component.html) is also available in the AWS IoT console. We recommend Greengrass customers upgrade to the latest binaries and Lambda Launcher to incorporate the latest runC patch.

[V1] Initial Publication Date: 2021/06/08 2:20 PM PDT

You are viewing a previous version of this security bulletin.

AWS is aware of the recently disclosed security issue in runC which is a component of many container management systems (CVE-2021-30465). With the exception of the AWS services listed below, no customer action is required to address this issue.

 

Amazon Elastic Container Service (Amazon ECS)

Amazon ECS has released updated ECS-optimized Amazon Machine Images (AMIs) with the patched container runtime on May 21, 2021. More information about the ECS-optimized AMI is available at https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html.

To resolve this issue in the meantime, we recommend that ECS customers perform a yum update –security to obtain this patch. More information is available at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/install-updates.html.

 

Amazon Elastic Kubernetes Service (Amazon EKS)

Amazon EKS has released updated EKS-optimized Amazon Machine Images (AMIs) with the patched container runtime. More information about the EKS-optimized AMI is available at https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

We recommend that EKS customers replace all worker nodes to use the latest EKS-optimized AMI version. Instructions on updating worker nodes are available at https://docs.aws.amazon.com/eks/latest/userguide/update-workers.html.

 

Bottlerocket 

Amazon has released Bottlerocket AMIs and in-place updates. Updating to the latest in-place update or replacing instances with the latest AMIs will resolve this issue. 

If you are using the Bottlerocket Update Operator for Kubernetes, you should expect nodes to begin updating within one day and all nodes within one week. Customers can upgrade faster manually via two API calls: apiclient set updates.ignore-waves=true and apiclient update apply –check –reboot. Once updates are completed, revert to the default setting with apiclient set updates.ignore-waves=false.

 

Amazon Linux and Amazon Linux 2 

An updated version of runc is available for Amazon Linux 2 extras repositories (*runc-1.0.0-0.2.20210225.git12644e6.amzn2*) and Amazon Linux AMI 2018.03 repositories (*runc-1.0.0-0.2.20210225.git12644e6.3.amzn1*). AWS recommends that customers using containers in Amazon Linux update to the latest version of runc and restart any running containers.

 

AWS Cloud9 

An updated version of the AWS Cloud9 environment with Amazon Linux is available. By default, customers will have security patches applied on first boot. Customers who have existing EC2-based AWS Cloud9 environments should launch new instances from the latest AWS Cloud9 version. Further information is available in the Amazon Linux Security Center (https://alas.aws.amazon.com/). 

AWS Cloud9 customers who use SSH environments that are not built with Amazon Linux should contact their operating system vendor for the updates necessary to address these issues.

 

AWS IoT Greengrass 

Updated AWS IoT Greengrass Core V1 binaries and Greengrass V2 Lambda Launcher will be available by June 15th as the latest versions of Greengrass. This bulletin will be updated once the patches are available.

Greengrass uses the runC library to execute Lambda functions inside an OCI compliant container on Greengrass Core devices. The Lambda functions deployed to Greengrass Cores are provided to Greengrass via authenticated authorized cloud APIs, authenticated authorized local CLI (if enabled), or through local root access. This means that Greengrass will only deploy and execute Lambda functions that were intended, and no action is necessary as long as Lambda functions are deployed from trusted sources. As a best practice, customers should only deploy Lambdas from trusted sources.

 

AWS Deep Learning AMI

Updated versions of the Deep Learning Base AMI and Deep Learning AMI for Amazon Linux and Amazon Linux2 are available in the AWS EC2 console and AWS Marketplace. AWS recommends that customers who have used Docker with their Deep Learning Base AMI or Deep Learning AMI launch new instances of the latest AMI version (v35.0 or later for Deep Learning Base AMI on Amazon Linux, v38.0 or later for Deep Learning Base AMI on Amazon Linux2, v45.0 or later for Deep Learning Base AMI on Amazon Linux and Amazon Linux2). Additional information is available in the Amazon Linux Security Center.

 

AWS Batch

After AMI Update:
An updated Amazon ECS Optimized AMI is available as the default Compute Environment AMI. We recommend that Batch customers replace their existing Compute Environments with the latest available AMI. Instructions for replacing the Compute Environment are available in the Batch product documentation
(https://docs.aws.amazon.com/batch/latest/userguide/compute_environments.html#managed_compute_environments).
Batch customers who do not use the default AMI should contact their operating system vendor for the updates necessary to address these issues. Instructions for Batch custom AMI are available in the Batch product documentation (https://docs.aws.amazon.com/batch/latest/userguide/create-batch-ami.html).

 

AWS Elastic Beanstalk

Updated AWS Elastic Beanstalk Docker-based platform versions are available. We recommend customers update immediately by going to the Managed Updates configuration page and clicking on the “Apply Now” button. Customers who have not enabled Managed Platform Updates can update their environment’s platform version by following instructions here. Customers using Managed Platform Updates will be automatically updated to the latest platform version in their selected maintenance window with no action required. Release notes are also available.

 

Initial Publication Date: 2021/06/08 3:30 PM PDT

The Xen Security Team has released Xen Security Advisories 372, 373, 374, 375, and 377 regarding the Xen hypervisor. AWS customers’ data and instances are not affected by this issue, and no customer action is required.

Initial Publication Date: 2021/04/26 10:20 AM PDT

On April 13th, 2021, AWS became aware of an edge case that affected how some Application Load Balancers (ALB) handled key rotation for TLS/SSL session ticket encryption. This edge case was introduced in September, 2020 and resulted in a small percentage of ALB traffic intermittently using an uninitialized session ticket encryption key. The edge case was triggered primarily during quiet periods of activity. ALBs with a high variation of traffic, such as daily peaks and troughs, rarely triggered the edge case. Mitigation for the edge case began within 8 hours of discovery and was complete by April 16th, 2021. This issue has been completely resolved.

TLS/SSL is the protocol that provides encryption in transit for HTTPS connections to ALBs. Session tickets are used to resume TLS/SSL sessions and contain an encrypted copy of the parameters used to encrypt the connection. Session tickets are primarily used when the client is a web browser. Connections that were affected by the edge case issue were encrypted and there were no outward signs of any issue. However, knowledge of the edge-case issue could theoretically be used to decrypt affected session tickets. In the very unlikely case that an affected connection was being observed, the parameters contained in an affected session ticket could be used to decrypt the connection.

The AWS network includes existing defenses in depth against this kind of issue. As a result, ALB traffic between AWS data-centers, Availability Zones, Regions, Local Zones, and Outposts was fully protected by AWS Network encryption. ALB traffic between AWS networks and customer premises using the Amazon VPN or Amazon Direct Connect MACSEC services was also fully protected. AWS Network Load Balancers (NLBs), Classic Load Balancers (CLBs), and other Amazon Web Services were not affected by this issue.

AWS would like to thank Simon Nachtigall, Sven Hebrok, Marcel Maehren, Robert Merget, and Juraj Somorovsky of Paderborn University and Ruhr University Bochum, Germany, for reporting this issue.

[V2] Last Updated: 2021/01/27 1:00PM PDT

CVE Identifier: CVE-2021-3156

This is an update for this issue.

AWS is aware of the security issue recently disclosed by the open source community affecting the Linux “sudo” utility (CVE-2021-3156). This issue may permit unprivileged users to run privileged commands, or cause affected hosts to crash.

Updated versions of sudo are available in the Amazon Linux and Amazon Linux 2 package repositories. Customers with existing EC2 instances running Amazon Linux should run the following command within each EC2 instance running Amazon Linux to ensure they receive the updated package:

sudo yum update sudo

We have released new versions of the Amazon Linux and Amazon Linux 2 AMIs that automatically include the updated kernel. AMI IDs for images with the updated kernels can be found at Amazon Linux 2018.03 AMI IDs, Amazon Linux 2 AMI IDs, and in the AWS Systems Manager Parameter Store.

Customers not using Amazon Linux should contact their operating system vendor for any updates or instructions necessary to mitigate any potential concerns arising from these issues. More information is available at the Amazon Linux Security Center.

AL1: https://alas.aws.amazon.com/ALAS-2021-1478.html
AL2: https://alas.aws.amazon.com/AL2/ALAS-2021-1590.html

[V1] Initial Publication Date: 2021/01/26 2:11PM PDT

CVE Identifier: CVE-2021-3156

You are viewing a previous version of this security bulletin.

AWS is aware of the security issue recently disclosed by the open source community affecting the Linux “sudo” utility (CVE-2021-3156). This issue may permit unprivileged users to run privileged commands. The sudo maintainers have published more information about this issue at https://www.sudo.ws/alerts/unescape_overflow.html.

AWS infrastructure and services are not affected by this issue. As a general security best practice, we recommend that Amazon EC2 customers running Amazon Linux update their operating systems to install the latest version of sudo.

Updated versions of sudo are available in the Amazon Linux and Amazon Linux 2 package repositories. Customers with existing EC2 instances running Amazon Linux should run the following command within each EC2 instance running Amazon Linux to ensure they receive the updated package:

sudo yum update sudo

Customers not using Amazon Linux should contact their operating system vendor for any updates or instructions necessary to mitigate any potential concerns arising from these issues. More information is available at the Amazon Linux Security Center.

AL1: https://alas.aws.amazon.com/ALAS-2021-1478.html
AL2: https://alas.aws.amazon.com/AL2/ALAS-2021-1590.html

Xen Security Advisory (XSA-286)

22 November 2020, 11:10 am

Initial Publication Date: 2020/10/23 5:00PM PST

—–

AWS is aware of Xen Security Advisories XSA-286 (https://xenbits.xen.org/xsa/advisory-286.html), XSA-331 (https://xenbits.xen.org/xsa/advisory-331.html), XSA-332 (https://xenbits.xen.org/xsa/advisory-332.html), XSA-345 (https://xenbits.xen.org/xsa/advisory-345.html), XSA-346 (https://xenbits.xen.org/xsa/advisory-346.html), and XSA-347 (https://xenbits.xen.org/xsa/advisory-347.html) released by the Xen Security team on October 20th 2020.

Xen Security Advisory (XSA-286)

AWS customers’ data and instances running on current generation instance types are not affected by this issue, and there is no customer action required. This is because current generation instance types use hardware virtual machine (HVM) virtualization.

However, instances using paravirtual (PV) virtualization are affected by XSA-286 (https://xenbits.xen.org/xsa/advisory-286.html), which may enable guest users to escalate their privileges to those of the guest kernel. PV AMIs are only supported on older instance types C1, C3, HS1, M1, M3, M2, and T1. The current generation of instance types do not support PV AMIs and are therefore not affected.

AWS has been recommending that customers stop using PV instances since our security bulletin (https://aws.amazon.com/security/security-bulletins/AWS-2018-013/) in March 2018. We continue to strongly recommend that customers stop using PV AMIs immediately and use HVM instead.

Xen Security Advisories XSA-331, XSA-332, XSA-345, XSA-346 and XSA-347

AWS customers’ data and instances are not affected by these issues and there is no customer action required.