Amazon Webservices Security Bulletins

Read our latest security bulletins here.

[V2] Last Updated: 2021/06/16 1:20 PM PDT

This is an update for this issue.

Binaries of AWS IoT Greengrass Core V1 (1.10.4 and 1.11.3) with patched runC are now available for download (https://docs.aws.amazon.com/greengrass/v1/developerguide/what-is-gg.html). An updated Greengrass V2 Lambda Launcher v2.0.6 (https://docs.aws.amazon.com/greengrass/v2/developerguide/lambda-launcher-component.html) is also available in the AWS IoT console. We recommend Greengrass customers upgrade to the latest binaries and Lambda Launcher to incorporate the latest runC patch.

[V1] Initial Publication Date: 2021/06/08 2:20 PM PDT

You are viewing a previous version of this security bulletin.

AWS is aware of the recently disclosed security issue in runC which is a component of many container management systems (CVE-2021-30465). With the exception of the AWS services listed below, no customer action is required to address this issue.

 

Amazon Elastic Container Service (Amazon ECS)

Amazon ECS has released updated ECS-optimized Amazon Machine Images (AMIs) with the patched container runtime on May 21, 2021. More information about the ECS-optimized AMI is available at https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html.

To resolve this issue in the meantime, we recommend that ECS customers perform a yum update –security to obtain this patch. More information is available at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/install-updates.html.

 

Amazon Elastic Kubernetes Service (Amazon EKS)

Amazon EKS has released updated EKS-optimized Amazon Machine Images (AMIs) with the patched container runtime. More information about the EKS-optimized AMI is available at https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

We recommend that EKS customers replace all worker nodes to use the latest EKS-optimized AMI version. Instructions on updating worker nodes are available at https://docs.aws.amazon.com/eks/latest/userguide/update-workers.html.

 

Bottlerocket 

Amazon has released Bottlerocket AMIs and in-place updates. Updating to the latest in-place update or replacing instances with the latest AMIs will resolve this issue. 

If you are using the Bottlerocket Update Operator for Kubernetes, you should expect nodes to begin updating within one day and all nodes within one week. Customers can upgrade faster manually via two API calls: apiclient set updates.ignore-waves=true and apiclient update apply –check –reboot. Once updates are completed, revert to the default setting with apiclient set updates.ignore-waves=false.

 

Amazon Linux and Amazon Linux 2 

An updated version of runc is available for Amazon Linux 2 extras repositories (*runc-1.0.0-0.2.20210225.git12644e6.amzn2*) and Amazon Linux AMI 2018.03 repositories (*runc-1.0.0-0.2.20210225.git12644e6.3.amzn1*). AWS recommends that customers using containers in Amazon Linux update to the latest version of runc and restart any running containers.

 

AWS Cloud9 

An updated version of the AWS Cloud9 environment with Amazon Linux is available. By default, customers will have security patches applied on first boot. Customers who have existing EC2-based AWS Cloud9 environments should launch new instances from the latest AWS Cloud9 version. Further information is available in the Amazon Linux Security Center (https://alas.aws.amazon.com/). 

AWS Cloud9 customers who use SSH environments that are not built with Amazon Linux should contact their operating system vendor for the updates necessary to address these issues.

 

AWS IoT Greengrass 

Updated AWS IoT Greengrass Core V1 binaries and Greengrass V2 Lambda Launcher will be available by June 15th as the latest versions of Greengrass. This bulletin will be updated once the patches are available.

Greengrass uses the runC library to execute Lambda functions inside an OCI compliant container on Greengrass Core devices. The Lambda functions deployed to Greengrass Cores are provided to Greengrass via authenticated authorized cloud APIs, authenticated authorized local CLI (if enabled), or through local root access. This means that Greengrass will only deploy and execute Lambda functions that were intended, and no action is necessary as long as Lambda functions are deployed from trusted sources. As a best practice, customers should only deploy Lambdas from trusted sources.

 

AWS Deep Learning AMI

Updated versions of the Deep Learning Base AMI and Deep Learning AMI for Amazon Linux and Amazon Linux2 are available in the AWS EC2 console and AWS Marketplace. AWS recommends that customers who have used Docker with their Deep Learning Base AMI or Deep Learning AMI launch new instances of the latest AMI version (v35.0 or later for Deep Learning Base AMI on Amazon Linux, v38.0 or later for Deep Learning Base AMI on Amazon Linux2, v45.0 or later for Deep Learning Base AMI on Amazon Linux and Amazon Linux2). Additional information is available in the Amazon Linux Security Center.

 

AWS Batch

After AMI Update:
An updated Amazon ECS Optimized AMI is available as the default Compute Environment AMI. We recommend that Batch customers replace their existing Compute Environments with the latest available AMI. Instructions for replacing the Compute Environment are available in the Batch product documentation
(https://docs.aws.amazon.com/batch/latest/userguide/compute_environments.html#managed_compute_environments).
Batch customers who do not use the default AMI should contact their operating system vendor for the updates necessary to address these issues. Instructions for Batch custom AMI are available in the Batch product documentation (https://docs.aws.amazon.com/batch/latest/userguide/create-batch-ami.html).

 

AWS Elastic Beanstalk

Updated AWS Elastic Beanstalk Docker-based platform versions are available. We recommend customers update immediately by going to the Managed Updates configuration page and clicking on the “Apply Now” button. Customers who have not enabled Managed Platform Updates can update their environment’s platform version by following instructions here. Customers using Managed Platform Updates will be automatically updated to the latest platform version in their selected maintenance window with no action required. Release notes are also available.

 

Initial Publication Date: 2021/06/08 3:30 PM PDT

The Xen Security Team has released Xen Security Advisories 372, 373, 374, 375, and 377 regarding the Xen hypervisor. AWS customers’ data and instances are not affected by this issue, and no customer action is required.

Initial Publication Date: 2021/04/26 10:20 AM PDT

On April 13th, 2021, AWS became aware of an edge case that affected how some Application Load Balancers (ALB) handled key rotation for TLS/SSL session ticket encryption. This edge case was introduced in September, 2020 and resulted in a small percentage of ALB traffic intermittently using an uninitialized session ticket encryption key. The edge case was triggered primarily during quiet periods of activity. ALBs with a high variation of traffic, such as daily peaks and troughs, rarely triggered the edge case. Mitigation for the edge case began within 8 hours of discovery and was complete by April 16th, 2021. This issue has been completely resolved.

TLS/SSL is the protocol that provides encryption in transit for HTTPS connections to ALBs. Session tickets are used to resume TLS/SSL sessions and contain an encrypted copy of the parameters used to encrypt the connection. Session tickets are primarily used when the client is a web browser. Connections that were affected by the edge case issue were encrypted and there were no outward signs of any issue. However, knowledge of the edge-case issue could theoretically be used to decrypt affected session tickets. In the very unlikely case that an affected connection was being observed, the parameters contained in an affected session ticket could be used to decrypt the connection.

The AWS network includes existing defenses in depth against this kind of issue. As a result, ALB traffic between AWS data-centers, Availability Zones, Regions, Local Zones, and Outposts was fully protected by AWS Network encryption. ALB traffic between AWS networks and customer premises using the Amazon VPN or Amazon Direct Connect MACSEC services was also fully protected. AWS Network Load Balancers (NLBs), Classic Load Balancers (CLBs), and other Amazon Web Services were not affected by this issue.

AWS would like to thank Simon Nachtigall, Sven Hebrok, Marcel Maehren, Robert Merget, and Juraj Somorovsky of Paderborn University and Ruhr University Bochum, Germany, for reporting this issue.

[V2] Last Updated: 2021/01/27 1:00PM PDT

CVE Identifier: CVE-2021-3156

This is an update for this issue.

AWS is aware of the security issue recently disclosed by the open source community affecting the Linux “sudo” utility (CVE-2021-3156). This issue may permit unprivileged users to run privileged commands, or cause affected hosts to crash.

Updated versions of sudo are available in the Amazon Linux and Amazon Linux 2 package repositories. Customers with existing EC2 instances running Amazon Linux should run the following command within each EC2 instance running Amazon Linux to ensure they receive the updated package:

sudo yum update sudo

We have released new versions of the Amazon Linux and Amazon Linux 2 AMIs that automatically include the updated kernel. AMI IDs for images with the updated kernels can be found at Amazon Linux 2018.03 AMI IDs, Amazon Linux 2 AMI IDs, and in the AWS Systems Manager Parameter Store.

Customers not using Amazon Linux should contact their operating system vendor for any updates or instructions necessary to mitigate any potential concerns arising from these issues. More information is available at the Amazon Linux Security Center.

AL1: https://alas.aws.amazon.com/ALAS-2021-1478.html
AL2: https://alas.aws.amazon.com/AL2/ALAS-2021-1590.html

[V1] Initial Publication Date: 2021/01/26 2:11PM PDT

CVE Identifier: CVE-2021-3156

You are viewing a previous version of this security bulletin.

AWS is aware of the security issue recently disclosed by the open source community affecting the Linux “sudo” utility (CVE-2021-3156). This issue may permit unprivileged users to run privileged commands. The sudo maintainers have published more information about this issue at https://www.sudo.ws/alerts/unescape_overflow.html.

AWS infrastructure and services are not affected by this issue. As a general security best practice, we recommend that Amazon EC2 customers running Amazon Linux update their operating systems to install the latest version of sudo.

Updated versions of sudo are available in the Amazon Linux and Amazon Linux 2 package repositories. Customers with existing EC2 instances running Amazon Linux should run the following command within each EC2 instance running Amazon Linux to ensure they receive the updated package:

sudo yum update sudo

Customers not using Amazon Linux should contact their operating system vendor for any updates or instructions necessary to mitigate any potential concerns arising from these issues. More information is available at the Amazon Linux Security Center.

AL1: https://alas.aws.amazon.com/ALAS-2021-1478.html
AL2: https://alas.aws.amazon.com/AL2/ALAS-2021-1590.html

Android Security Advisory

22 November 2020, 11:10 am

2015/07/28 – 6:00PM PST

 

AWS is aware of the recently reported Android security issues described in: CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, CVE-2015-3829. These issues present a risk to all data present on your Android device, which may include AWS API or console credentials you have used on that device.

 

AWS customers who have been using an Android device to access AWS resources, such as the AWS console or using your Android device as a MFA device, should discontinue use of their Android device to access AWS resources, rotate their AWS credentials that were used after July 25, 2015 on the Android device immediately, and check with their Android device or phone provider to ensure it is patched for the previously mentioned CVEs before continuing to use the device to access AWS resources.

For additional information regarding how to rotate your credentials, please see here

http://docs.aws.amazon.com/IAM/latest/UserGuide/ManagingCredentials.html

Xen Security Advisory (XSA-286)

22 November 2020, 11:10 am

Initial Publication Date: 2020/10/23 5:00PM PST

—–

AWS is aware of Xen Security Advisories XSA-286 (https://xenbits.xen.org/xsa/advisory-286.html), XSA-331 (https://xenbits.xen.org/xsa/advisory-331.html), XSA-332 (https://xenbits.xen.org/xsa/advisory-332.html), XSA-345 (https://xenbits.xen.org/xsa/advisory-345.html), XSA-346 (https://xenbits.xen.org/xsa/advisory-346.html), and XSA-347 (https://xenbits.xen.org/xsa/advisory-347.html) released by the Xen Security team on October 20th 2020.

Xen Security Advisory (XSA-286)

AWS customers’ data and instances running on current generation instance types are not affected by this issue, and there is no customer action required. This is because current generation instance types use hardware virtual machine (HVM) virtualization.

However, instances using paravirtual (PV) virtualization are affected by XSA-286 (https://xenbits.xen.org/xsa/advisory-286.html), which may enable guest users to escalate their privileges to those of the guest kernel. PV AMIs are only supported on older instance types C1, C3, HS1, M1, M3, M2, and T1. The current generation of instance types do not support PV AMIs and are therefore not affected.

AWS has been recommending that customers stop using PV instances since our security bulletin (https://aws.amazon.com/security/security-bulletins/AWS-2018-013/) in March 2018. We continue to strongly recommend that customers stop using PV AMIs immediately and use HVM instead.

Xen Security Advisories XSA-331, XSA-332, XSA-345, XSA-346 and XSA-347

AWS customers’ data and instances are not affected by these issues and there is no customer action required.

Initial Publication Date: 2020/09/22 8:45AM PST

CVE Identifier: CVE-2020-25595

AWS is aware of Xen Security Advisory 337 released by the Xen Security team on September 22nd 2020. Nitro based instances are not affected. The issue depends on PCI devices passed through to customer instances exposing behavior outside of the PCI device specification. EC2 is not using such devices, and no customer action is required.

Initial Publication Date: 2020/09/22 8:45AM PST

CVE Identifier: CVE-2020-25604

AWS is aware of Xen Security Advisory 336 released by the Xen Security team on September 22nd 2020. Nitro based instances are not affected. Under rare circumstances, a guest may be able to cause a Xen host to reboot. This poses no risk to confidentiality or integrity of customer data, and no customer action is required. We are actively updating the fleet, and will update this security bulletin when complete.

Initial Publication Date: 2020/03/31 11:15AM PDT

AWS is updating all AWS Federal Information Processing Standard (FIPS) endpoints to a minimum Transport Layer Security (TLS) version of 1.2 across all AWS Regions by March 31, 2021. This update will revoke the ability to use TLS 1.0 and TLS 1.1 on all FIPS endpoints. No other AWS endpoints will be affected by this change.

When connecting to an AWS service endpoint, your client provides its TLS minimum and TLS maximum version. The AWS service endpoint selects the maximum version offered.

What do I need to do?
 
Confirm that all of your client applications support TLS 1.2, ensuring it is encapsulated between the minimum and the maximum versions. We encourage you to act now to avoid any impact to your availability and to protect the integrity of your data in transit. Additionally, we recommend that you perform these steps in a test or staging environment before completing these steps in a production environment.
 
If you are using an AWS Software Development Kit (AWS SDK), you can find information about how to properly configure your client’s minimum and maximum TLS versions on the following topics in the AWS SDK documentation:
 
When are these changes occurring?
 
To minimize the impact to our customers who use TLS 1.0 and TLS 1.1, we are rolling out the changes on a service-by-service basis between now and the end of March 2021.
 
We will detect and validate customer connections to AWS FIPS endpoints. After a 30-day period during which no connections are detected, we will deploy a configuration change to remove support for them. After March 31, 2021, we may update the endpoint configuration to remove TLS 1.0 and 1.1, even if we detect customer connections. We will provide additional updates and reminders on the AWS Security Blog, with a ‘
TLS’ tag.
 
What are AWS FIPS endpoints?
 
All AWS services offer Transport Layer Security (TLS) 1.2 encrypted endpoints that can be used for all API calls. Some AWS services also offer
FIPS 140-2 endpoints for customers that require use of FIPS validated cryptographic libraries.
 
What is Transport Layer Security (TLS)?
 
Transport Layer Security (TLS) is a
cryptographic protocol designed to provide
secure communication across a
computer network. API calls to AWS services are secured using TLS.
 
How can I get additional assistance to verify or update my client application?
 
If you have any questions or issues, please contact
AWS Support or your Technical Account Manager (TAM). The AWS Technical Support tiers cover development and production issues for AWS products and services, along with other key stack components. AWS Support does not include code development for client applications.
 
Customers also may use
AWS IQ to find and securely work with AWS Certified third-party experts for on-demand project work. Visit the AWS IQ page for information about how you can submit your request, get responses from experts, and choose the expert with the skills and experience you require. You can log into your console and select
Get Started with AWS IQ to start your request.

[V2] Last Updated: 2020/07/09 6:30PM PDT

CVE Identifier: CVE-2020-8558

This is an update for this issue.

AWS is aware of a security issue, recently disclosed by the Kubernetes community, affecting Linux container networking (CVE-2020-8558). This issue may allow containers running on the same host, or adjacent hosts (hosts running in the same LAN or layer 2 domain), to reach TCP and UDP services bound to localhost (127.0.0.1).

All AWS security controls to maintain isolation between customers in Amazon ECS and Amazon EKS continue to work correctly. This issue presents no risk of cross-account data access. Processes within a container on one host may be able to gain unintended network access to other containers on that same host or on other hosts within the same VPC and subnet. Customer action is required, and steps for immediate mitigation are available at https://github.com/aws/containers-roadmap/issues/976. All Amazon ECS and Amazon EKS customers should update to the latest AMI.

AWS Fargate
AWS Fargate is not affected. No customer action is required.

Amazon Elastic Container Service (Amazon ECS)
Updated Amazon ECS Optimized AMIs are now available. As a general security best practice, we recommend that ECS customers update their configurations to launch new container instances from the latest AMI version.

Customers can upgrade their AMIs by referring to the ECS documentation.

Amazon Elastic Kubernetes Service (Amazon EKS)
Updated Amazon EKS-Optimized AMIs are now available. As a general security best practice, we recommend that EKS customers update their configurations to launch new worker nodes from the latest AMI version.

Customers using Managed node groups can upgrade their node groups by referring to the EKS documentation. Customers self managing worker nodes should replace existing instances with the new AMI version by referring to the EKS documentation

[V1] Initial Publication Date: 2020/07/08 7:15PM PDT

CVE Identifier: CVE-2020-8558

You are viewing a previous version of this security bulletin.

AWS is aware of a security issue, recently disclosed by the Kubernetes community, affecting Linux container networking (CVE-2020-8558). This issue may allow containers running on the same, or adjacent hosts (hosts running in the same LAN or layer 2 domain), to reach TCP and UDP services bound to localhost (127.0.0.1).

AWS Fargate is not affected. No customer action is required.

All AWS security controls to maintain isolation between customers in Amazon ECS and Amazon EKS continue to work correctly. This issue presents no risk of cross-account data access. Processes within a container on one host may be able to gain unintended network access to other containers on that same host or on other hosts within the same VPC and subnet. Customer action is required, and steps for immediate mitigation are available at: https://github.com/aws/containers-roadmap/issues/976

We will be releasing updated Amazon Machine Images for both Amazon ECS and Amazon EKS, and customers should update to these AMIs as soon as they are available.

AWS Fargate
AWS Fargate is not affected. No customer action is required.

Amazon Elastic Container Service (Amazon ECS)
Amazon ECS will be releasing updated ECS Optimized AMIs including the Amazon Linux AMI, Amazon Linux 2 AMI, GPU-Optimized AMI, ARM-Optimized AMI, and Inferentia-Optimized AMI on July 9, 2020. Updating to use one of these AMIs will mitigate the issue. We will update this bulletin when updated AMIs are available.

Amazon Elastic Kubernetes Service (Amazon EKS)
Amazon EKS will be releasing updated EKS Optimized AMIs including the Amazon Linux 2 EKS-Optimized AMI and EKS-Optimized accelerated AMI for Kubernetes 1.14, 1.15, and 1.16 on July 9, 2020. Updating to use one of these AMIs will mitigate the issue. We will update this bulletin when updated AMIs are available.