Amazon Webservices Security Bulletins

Read our latest security bulletins here.

Last Updated: August 15, 2019 9:00AM PDT

CVE Identifier: CVE-2019-11249

AWS is aware of a security issue (CVE-2019-11249) which resolves incomplete fixes for CVE-2019-1002101 and CVE-2019-11246. Like the aforementioned CVEs, the issue is in the Kubernetes kubectl tool that could allow a malicious container to replace or create files on a user’s workstation.

If a user were to run an untrusted container containing a malicious version of the tar command and execute the kubectl cp operation, the kubectl binary unpacking the tar file could overwrite or create files on a user’s workstation.

AWS customers should refrain from using untrusted containers. If customers use an untrusted container and use the kubectl tool to manage their Kubernetes clusters, they should refrain from running the kubectl cp command using the affected versions and update to the latest kubectl version.

Updating Kubectl

Amazon Elastic Kubernetes Service (EKS) currently vends kubectl for customers to download from the EKS service S3 bucket. Download and install instructions can be found in the EKS Userguide. Customers can run the command "kubectl version –client" to discover which version they are using.

For a list of affected kubectl versions, and the recommended versions to which we recommend updating, please refer to the table below:

EKS-optimized AMIs

The EKS-optimized AMIs for Kubernetes at version v20190701 no longer contain kubectl. Customers running v20190701 or newer are not impacted, and no action is required. Customers running a previous version of the EKS AMI should update to the latest EKS AMI.

CVE-2019-11246 was addressed in AWS-2019-006.

July 02, 2019 2:00 PM PDT

CVE Identifier: CVE-2019-11246

AWS is aware of a security issue (CVE-2019-11246) in the Kubernetes kubectl tool that could allow a malicious container to replace or create files on a user’s workstation.

If a user were to run an untrusted container containing a malicious version of the tar command and execute the kubectl cp operation, the kubectl binary unpacking the tar file could overwrite or create files on a user’s workstation.

AWS customers should refrain from using untrusted containers. If customers use an untrusted container and use the kubectl tool to manage their Kubernetes clusters, they should refrain from running the kubectl cp command using the affected versions and update to the latest kubectl version.

Updating Kubectl
AWS currently vends kubectl for customers to download in the EKS service S3 bucket, as well as shipping the binary in our managed AMI.

1.10.x: Versions of kubectl vended by AWS 1.10.13 or earlier are affected. We recommend that you update to kubectl version 1.11.10.

1.11.x: Versions of kubectl vended by AWS 1.11.9 or earlier are affected. We recommend that you update to kubectl version 1.11.10..

1.12.x: Versions of kubectl vended by AWS 1.12.7 or earlier are affected. We recommend that you update to kubectl version 1.12.9.

1.13.x: kubectl 1.13.7 vended by AWS is not impacted.

EKS-optimized AMIs
The EKS-optimized AMIs for Kubernetes versions 1.10.13, 1.11.9, and 1.12.7 currently contain affected versions of kubectl.

New versions of the EKS-optimized AMIs will be released today and will no longer include the kubectl binary. EKS AMI does not rely on kubectl binary and it was previously provided as a convenience. Customers relying on kubectl being present in the AMI will need to install it themselves when upgrading to the new AMI. In the meantime, users should update the kubectl version manually on any running instantiation of the AMI before using it. 

Last Updated: June 18, 2019 11:45AM PDT

CVE Identifiers: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

This is an update for this issue.

Amazon Elastic Container Service (ECS)

Amazon ECS published updated ECS-optimized Amazon Machine Images (AMIs) with the patched Amazon Linux and Amazon Linux 2 kernel on June 17 and 18, 2019. More information about the ECS-optimized AMI, including how to obtain the latest version, is available at https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html.

We recommend that ECS customers update their EC2 container instances to use the latest ECS-optimized AMI version.

Amazon GameLift

An updated AMI for Linux-based Amazon GameLift instances has been made available in all Amazon GameLift regions. We recommend that customers using Linux-based Amazon GameLift instances create new Fleets to pick up the updated AMI. More information on creating Fleets is available at https://docs.aws.amazon.com/gamelift/latest/developerguide/fleets-creating.html.

AWS Elastic Beanstalk

Updated AWS Elastic Beanstalk Linux-based platform versions are available. Customers using Managed Platform Updates will be automatically updated to the latest platform version in their selected maintenance window with no other action required. Alternatively, customers using Managed Platform Updates may independently apply available updates earlier than their selected maintenance window by going to the Managed Updates configuration page and clicking on the "Apply Now" button.

Customers who have not enabled Managed Platform Updates must update their environment’s platform version by following the above instructions. More information on Managed Platform Updates is available at https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environment-platform-update-managed.html

Amazon Linux and Amazon Linux 2

Updated Linux kernels for Amazon Linux are available in the Amazon Linux repositories, and updated Amazon Linux AMIs are available for use. Customers with existing EC2 instances running Amazon Linux should run the following command within each EC2 instance running Amazon Linux to ensure they receive the updated package:

sudo yum update kernel

As is standard for any update of the Linux kernel, after the yum update is complete, a reboot is required for updates to take effect.

Customers not using Amazon Linux should contact their operating system vendor for any updates or instructions necessary to mitigate any potential DoS concerns of these issues. More information is available at the Amazon Linux Security Center.

Amazon Elastic Compute Cloud (EC2)

Customer EC2 Linux-based instances either initiating or directly receiving TCP connections to or from untrusted parties, e.g. the Internet, require operating system patches to mitigate any potential DoS concerns of these issues. NOTE: Customers using Amazon Elastic Load Balancing (ELB) should review "Elastic Load Balancing (ELB)" below for additional guidance.

Elastic Load Balancing (ELB)

TCP Network Load Balancers (NLBs) do not filter traffic, unless they are configured to terminate TLS sessions. NLBs which are configured to terminate TLS sessions do not require any additional customer action to migitate this issue.

Linux-based EC2 instances using TCP NLBs which do not terminate TLS sessions require operating system patches to mitigate any potential DoS concerns related to these issues. Updated kernels for Amazon Linux are available now, and instructions for updating EC2 instances currently running Amazon Linux are provided above. Customers not using Amazon Linux should contact their operating system vendor for any updates or instructions necessary to mitigate any potential DoS concerns.

Linux-based EC2 instances using Elastic Load Balancing (ELB) Classic Load Balancers, Application Load Balancers, or Network Load Balancers with TLS Termination (TLS NLB) do not require any customer action. ELB Classic and ALB will filter incoming traffic to mitigate any potential DoS concerns of these issues.

Amazon WorkSpaces (Linux)

All new Amazon Linux WorkSpaces will be launched with the updated kernels. The updated kernels for Amazon Linux 2 have already been installed for existing Amazon Linux WorkSpaces.

As is standard for any update of the Linux kernel, a reboot is required for updates to take effect. We recommend that customers manually reboot as soon as possible. Otherwise, Amazon Linux WorkSpaces will reboot automatically between 12:00AM and 4:00AM local time on June 18th.

Amazon Elastic Container Service for Kubernetes (Amazon EKS)

All currently-running Amazon EKS clusters are protected against these issues. Amazon EKS published updated EKS-optimized Amazon Machine Images (AMIs) with the patched Amazon Linux 2 kernel on June 17, 2019. More information about the EKS-optimized AMI is available at https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

We recommend that EKS customers replace all worker nodes to use the latest EKS-optimized AMI version. Instructions on updating worker nodes are available at https://docs.aws.amazon.com/eks/latest/userguide/update-workers.html.

Amazon ElastiCache

Amazon ElastiCache launches clusters of Amazon EC2 instances running Amazon Linux into customer VPCs. These do not accept untrusted TCP connections by default and are not affected by these issues.

Any customers who have made changes to the default ElastiCache VPC configuration should ensure their ElastiCache security groups follow AWS-recommended security best practices, by configuring them to block network traffic from untrusted clients to mitigate any potential DoS concerns. More information on ElastiCache VPC configuration is available at https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/VPCs.html.

Customers who have their ElastiCache clusters running outside of their VPCs, and have made changes to the default configuration, should configure trusted access using ElastiCache security groups. For more information on creating ElastiCache security groups, see https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/SecurityGroups.html

The ElastiCache team will release a new patch shortly, which addresses these issues. Once this patch is available, we will notify customers that it is ready to be applied. Customers can then choose to update their clusters with the ElastiCache self-service update feature. More information on ElastiCache self-service patch updates is available at https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/applying-updates.html.

Amazon EMR

Amazon EMR launches clusters of Amazon EC2 instances running Amazon Linux into customers’ VPCs on their behalf. These clusters do not accept untrusted TCP connections by default, and thus are not impacted by these issues.

Any customers who have made changes to the default EMR VPC configuration should ensure their EMR security groups follow AWS-recommended security best practices; blocking network traffic from untrusted clients to mitigate any potential DoS concerns. See https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-security-groups.html for more information on EMR security groups.

Customers who choose not to configure EMR security groups according to AWS-recommended security best practices (or who require operating system patches to meet any additional security policy), can follow the instructions below to update new or existing EMR clusters to mitigate these issues. NOTE: These updates will require reboots of cluster instances and may impact running applications. Customers should not restart their clusters until they deem it necessary to do so:

For new clusters, use an EMR bootstrap action to update the Linux kernel and reboot each instance. More information on EMR bootstrap actions is available at https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-bootstrap.html

For existing clusters, update the Linux kernel on each instance within a cluster and reboot them in a rolling fashion.

May 14, 2019 10:00 AM PDT

CVE Identifiers: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091

Xen Security Advisories: XSA-297

Intel has published a security advisory (INTEL-SA-00233) regarding new information disclosure methods "Microarchitectural Data Sampling" (MDS) related to their processors. In parallel, the Xen security team have released Xen Security Advisory 297.

AWS has designed and implemented its infrastructure with protections against these types of bugs, and has also deployed additional protections for MDS. All EC2 host infrastructure has been updated with these new protections, and no customer action is required at the infrastructure level.  

Updated kernels and microcode packages for Amazon Linux AMI 2018.03 and Amazon Linux 2 are available in the respective repositories (ALAS-2019-1205). As a general security best practice, we recommend that customers patch their operating systems or software as relevant patches become available to address emerging issues. 

March 28, 2019 10:00AM PDT

AWS is aware of two recently disclosed security issues in Kubernetes (CVE-2019-1002101 and CVE-2019-9946). With the exception of the AWS services listed below, no customer action is required to address these issues.

Amazon Elastic Container Service for Kubernetes (EKS)

Amazon EKS’s managed Kubernetes control plane is not impacted by these security issues. An updated Amazon EKS-optimized AMI is now available. Customers should replace existing worker nodes with the new AMI version to address the issue described above. Instructions on how to update worker nodes can be found in the EKS documentation. Additionally, customers should update their kubectl binary to the latest version. Instructions on updating kubectl can be found in the EKS documentation.  

February 13, 2019 9:00 PM PST

CVE Identifier: CVE-2019-5736

AWS is aware of the recently disclosed security issue which affects several open-source container management systems (CVE-2019-5736). With the exception of the AWS services listed below, no customer action is required to address this issue.

Amazon Linux

An updated version of Docker (docker-18.06.1ce-7.amzn2) is available for Amazon Linux 2 extras repositories and Amazon Linux AMI 2018.03 repositories (ALAS-2019-1156). AWS recommends that customers using Docker in Amazon Linux launch new instances from the latest AMI version. Further information is available in the Amazon Linux Security Center.

Amazon Elastic Container Service (Amazon ECS)

Amazon ECS Optimized AMIs, including the Amazon Linux AMI, the Amazon Linux 2 AMI, and the GPU-Optimized AMI, are available now. As a general security best practice, we recommend that ECS customers update their configurations to launch new container instances from the latest AMI version. Customers should replace existing container instances with the new AMI version to address the issue described above. Instructions to replace existing container instances can be found in the ECS documentation for the Amazon Linux AMI, the Amazon Linux 2 AMI, and the GPU-Optimized AMI.

Linux customers who do not use the ECS Optimized AMI are advised to consult with the vendor of your operating system, software, or AMI for updates and instructions as needed. Instructions about Amazon Linux are available in the Amazon Linux Security Center.

Amazon Elastic Container Service for Kubernetes (Amazon EKS)

An updated Amazon EKS Optimized AMI is available in the AWS Marketplace. As a general security best practice, we recommend that EKS customers update their configurations to launch new worker nodes from the latest AMI version. Customers should replace existing worker nodes with the new AMI version to address the issue described above. Instructions on how to update worker nodes can be found in the EKS documentation.

Linux customers who do not use the EKS Optimized AMI should contact their operating system vendor for the updates necessary to address these issues. Instructions about Amazon Linux are available in the Amazon Linux Security Center.

AWS Fargate

An updated version of Fargate is available for Platform Version 1.3 that mitigates the issues described in CVE-2019-5736. Patched versions of the older Platform Versions (1.0.0, 1.1.0, 1.2.0) will be made available by March 15th, 2019.

Customers running Fargate Services should call UpdateService with "–force-new-deployment" enabled to launch all new Tasks on the latest Platform Version 1.3. Customers running standalone tasks should terminate existing tasks, and re-launch using the latest version. Specific instructions can be found in the Fargate update documentation.

All tasks that are not upgraded to a patched version will be retired by April 19th, 2019. Customers that use standalone tasks must launch new tasks to replace those that are retired. Additional details can be found in the Fargate Task Retirement documentation.

AWS IoT Greengrass

Updated versions of AWS IoT GreenGrass core are available for 1.7.1 and 1.6.1. The updated versions require features available in Linux kernel version 3.17 or greater. Instructions on how to update your kernel can be found here.

As a general security best practice we recommend that customers running any version of GreenGrass core upgrade to version 1.7.1. Instructions for updating over-the-air can be found here.

AWS Batch

An updated Amazon ECS Optimized AMI is available as the default Compute Environment AMI. As a general security best practice we recommend that Batch customers replace their existing Compute Environments with the latest AMI available. Instructions for replacing the Compute Environment are available in the Batch product documentation.

Batch customers who do not use the default AMI should contact their operating system vendor for the updates necessary to address these issues. Instructions for Batch custom AMI are available in the Batch product documentation.

AWS Elastic Beanstalk

Updated AWS Elastic Beanstalk Docker-based platform versions are available. Customers using Managed Platform Updates will be automatically updated to the latest platform version in their selected maintenance window with no action required. Customers can also update immediately by going to the Managed Updates configuration page and clicking on the "Apply Now" button. Customers who have not enabled Managed Platform Updates can update their environment’s platform version by following instructions here.

AWS Cloud9

An updated version of the AWS Cloud9 environment with Amazon Linux is available. By default, customers will have security patches applied on first boot. Customers who have existing EC2-based AWS Cloud9 environments should launch new instances from the latest AWS Cloud9 version. Further information is available in the Amazon Linux Security Center.

AWS Cloud9 customers who use SSH environments that are not built with Amazon Linux should contact their operating system vendor for the updates necessary to address these issues.

AWS SageMaker

An updated version of Amazon SageMaker is available. Customers using Amazon SageMaker’s default algorithm containers or framework containers for training, tuning, batch transform, or endpoints are not affected. Customers running labeling or compilation jobs are also not affected. Customers who are not using Amazon SageMaker notebooks to run Docker containers are not affected. All endpoints, labeling, training, tuning, compilation, and batch transform jobs launched on February 11th or later include the latest update with no customer action required. All Amazon SageMaker notebooks launched on February 11th or later with CPU instances and all Amazon SageMaker notebooks launched on February 13th 18:00 PT or later with GPU instances include the latest updates with no customer action required.

AWS recommends that customers running training, tuning, and batch transform jobs with custom code created before February 11th stop and start their jobs to include the latest update. These actions can be done from the Amazon SageMaker console or by following the instructions here.

Amazon SageMaker automatically updates all endpoints that are in-service to the latest software every four weeks. All endpoints created before February 11th are expected to be updated by March 11th. If there are any issues with the automatic updates and customers are required to take action to update their endpoints, Amazon SageMaker will publish a notification in the customers’ Personal Health Dashboard. Customers who wish to update their endpoints sooner can manually update their endpoints from the Amazon SageMaker console or by using the UpdateEndpoint API action at any time. We recommend that customers who have endpoints with autoscaling enabled take the additional precaution of following the instructions here.

AWS recommends that customers running Docker containers in Amazon SageMaker notebooks stop and start their Amazon SageMaker notebook instances to get the latest available software. This can be done from the Amazon SageMaker console. Alternately, customers can first stop the notebook instance using the StopNotebookInstance API and then start the notebook instance using the StartNotebookInstance API.

AWS RoboMaker

An updated version of AWS RoboMaker development environment is available. New development environments will use the latest version. As a general security best practice, AWS recommends that customers using RoboMaker development environments keep their Cloud9 environments updated to the latest version.

An updated version of AWS IoT GreenGrass core is available. All customers using RoboMaker Fleet Management should upgrade GreenGrass core to version 1.7.1. Instructions for upgrading over-the-air can be found here.

AWS Deep Learning AMI

Updated versions of the Deep Learning Base AMI and Deep Learning AMI for Amazon Linux and Ubuntu are available in the AWS Marketplace. AWS recommends that customers who have used Docker with their Deep Learning AMI or Deep Learning Base AMI launch new instances of the latest AMI version (v21.2 or later for Deep Learning AMI on Amazon Linux and Ubuntu, v16.2 or later for Deep Learning Base AMI on Amazon Linux and v15.2 or later for Deep Learning Base AMI on Ubuntu). Additional information is available in the Amazon Linux Security Center.

January 4, 2019 9:00 AM PST

AWS is aware of the two recent security issues disclosed within Kubernetes regarding the Kubernetes API server ("kubectl proxy"), and the Kubernetes Dashboard (CVE-2018-18264). Amazon Elastic Container Service for Kubernetes (EKS) is not affected by the "kubectl proxy" issue, and no customer action is required.

Amazon EKS does not install the Kubernetes Dashboard on customer clusters. For customers who have customized their EKS cluster and installed a version of the Kubernetes Dashboard older than v1.10.1, AWS recommends to upgrade the Kubernetes Dashboard to the latest version.

December 5, 2018 12:00 PM PST

AWS is aware of a recent security issue within Kubernetes, assigned CVE identifier CVE-2018-1002105. Amazon Elastic Container Service for Kubernetes (EKS) manages the Kubernetes control plane on behalf of customers. We have completed patching of the Amazon EKS fleet. All Amazon EKS Kubernetes clusters are now running a version of Kubernetes that is not affected by this issue. No customer action is required to receive these updates.

August 21, 2018 4:00 AM PDT

CVE Identifiers: CVE-2018-5390 (SegmentSmack), CVE-2018-5391 (FragmentSmack)

AWS is aware of two recently-disclosed security issues, commonly referred to as SegmentSmack and FragmentSmack, both of which affect the TCP and IP processing subsystem of several popular operating systems including Linux. With the exception of the AWS services listed below, no customer action is required to address these issues. Customers not using Amazon Linux should contact their operating system vendor for the updates necessary to address these issues.

Amazon Linux & Amazon Linux 2 AMI

An updated kernel for Amazon Linux is available within the Amazon Linux repositories — this update includes fixes for both SegmentSmack and FragmentSmack. Customers with existing Amazon Linux AMI instances should run the following command to ensure they receive the updated package: “sudo yum update kernel”. As is standard for any update of the Linux kernel, after the yum update is complete, a reboot is required for updates to take effect. More information is available at the Amazon Linux Security Center (see: ALAS-2018-1049 and ALAS-2018-1058).

We have released new versions of the Amazon Linux and Amazon Linux 2 AMIs that automatically include the updated kernel. AMI IDs for images with the updated kernels can be found at Amazon Linux 2018.03 AMI IDs, Amazon Linux 2 AMI IDs, and in the AWS Systems Manager Parameter Store.

AWS Elastic Beanstalk
We have released updates for Linux-based Elastic Beanstalk platforms that includes fixes for both SegmentSmack and FragmentSmack. If you have Managed Platform Updates enabled for your environment, it will be automatically updated to the latest platform version in your selected maintenance window and no customer action is required. You can also update immediately by going to the Managed Updates configuration page and clicking on the "Apply Now" button. Customers who have not enabled Managed Platform Updates can update their environment’s platform by following instructions here.

August 16, 2018 2:45 PM PDT

CVE Identifiers: CVE-2018-3620, CVE-2018-3646

Intel has published a security advisory (INTEL-SA-00161) regarding a new side-channel analysis method concerning their processors called "L1 Terminal Fault" (L1TF). AWS has designed and implemented its infrastructure with protections against these types of attacks, and has also deployed additional protections for L1TF. All EC2 host infrastructure has been updated with these new protections, and no customer action is required at the infrastructure level.

Updated kernels for Amazon Linux AMI 2017.09 (ALAS-2018-1058), Amazon Linux AMI 2018.03 (ALAS-2018-1058), and Amazon Linux 2 (ALAS-2018-1058) are available in the respective repositories. As a general security best practice, we recommend that customers patch their operating systems or software as relevant patches become available to address emerging side-channel issues.

We have released new versions of the Amazon Linux and Amazon Linux 2 AMIs that automatically include the updated kernel. AMI IDs for images with the updated kernels can be found at Amazon Linux 2018.03 AMI IDs, Amazon Linux 2 AMI IDs, and in the AWS Systems Manager Parameter Store.

Meanwhile, we suggest using the stronger security and isolation properties of EC2 instances rather than relying on operating system process boundaries or containers when workloads execute with different security privileges.