Amazon Web Services Latest Security Bulletins

Bulletin ID: AWS-2025-018 Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/08/14 09:15 PM PDT Description: Amazon Elastic Container Service (Amazon ECS) is a fully managed container orchestration service that enables customers to deploy, manage, and scale containerized applications. Amazon ECS container agent provides an introspection API that provides information about the overall state of the Amazon ECS agent and the container instances. We identified CVE-2025-9039, an issue in the Amazon ECS agent. Under certain conditions, this issue could allow an introspection server to be accessed off-host by another instance if the instances are in the same security group or if their security groups allow inbound connections to the introspection server port. This issue does not affect instances where the option to allow off-host access to the introspection server is set to “false”. Affected versions: ECS Agent versions 0.0.3 through 1.97.0

Bulletin ID: AWS-2025-017 Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/08/13 10:00 PM PDT Description: Amazon EMR is a managed cluster platform that simplifies running big data frameworks on AWS to process and analyze vast amounts of data. We identified CVE-2025-8904, an issue in the Amazon EMR Secret Agent component. The Secret Agent component securely stores secrets and distributes secrets to other Amazon EMR components and applications. When using Amazon EMR clusters with one or more Lake Formation, Apache Ranger, runtime role, or Identity Center feature that uses this component, Secret Agent creates a keytab file containing Kerberos credentials. This file is stored in the /tmp/ directory. A user with access to this directory and another account can potentially decrypt the keys and escalate to higher privileges. We implemented a fix that removes /tmp/ as a staging directory for Kerberos credentials, eliminating the possibility of users accessing the keytab file. The fix is available in Amazon EMR release 7.5 and higher. Affected versions: Amazon EMR version 6.10 through 7.4

Bulletin ID: AWS-2025-016 Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/07/25 6:00 PM PDT Description: AWS CodeBuild is a fully managed on-demand continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy. Security researchers reported a CodeBuild issue that could be leveraged for unapproved code modification absent sufficient repository controls and credential scoping. The researchers demonstrated how a threat actor could submit a Pull Request (PR) that, if executed through an automated CodeBuild build process, could extract the source code repository (e.g. GitHub, BitBucket, or GitLab) access token through a memory dump within the CodeBuild build environment. If the access token has write permissions, the threat actor could commit malicious code to the repository. This issue is present in all regions for CodeBuild. During our investigation, we identified this technique was leveraged by a threat actor who extracted the source code repository access token for the AWS Toolkit for Visual Studio Code and AWS SDK for .NET repositories. We have assigned CVE-2025-8217 for this, please refer to the AWS Security Bulletin AWS-2025-015 for additional information. Source code repository credentials are required in CodeBuild to access repository content, create webhooks for automated builds, and execute the build on your behalf. If a PR submitter obtains CodeBuild’s repository credentials, they could gain elevated permissions beyond their normal access level. Depending on the permissions customers grant in CodeBuild, these credentials might allow elevated privileges like webhook creation, which CodeBuild requires to integrate with source code repositories and set up automated builds, or commit code to the repository. To determine if this issue was leveraged by an untrusted contributor, we recommend reviewing git logs, e.g. GitHub logs, and look for anomalous activity of the credentials granted to CodeBuild. We will update this bulletin if we have additional information to share. Resolution: CodeBuild has included additional protections against memory dumps within container builds using unprivileged mode. However, because builds execute code committed by contributors in the build environment, they have access to anything the build environment has access to. Therefore, we strongly recommend customers do not use automatic PR builds from untrusted repository contributors. For public repositories that want to continue to support automatic builds of untrusted contributions, we advise using the self-hosted GitHub Actions runners feature in CodeBuild as it is not impacted by this issue.

Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/07/23 6:00 PM PDT Updated Date: 2025/07/25 6:00 PM PDT Description: Amazon Q Developer for Visual Studio Code (VS Code) Extension is a development tool that integrates Amazon Q’s AI-powered coding assistance directly into the VS Code integrated development environment (IDE). AWS is aware of and has addressed an issue in the Amazon Q Developer for VS Code Extension, which is assigned to CVE-2025-8217. AWS Security has inspected the code and determined the malicious code was distributed with the extension but was unsuccessful in executing due to a syntax error. This prevented the malicious code from making changes to any services or customer environments. We will update this bulletin if we have additional information to share. Affected version: Amazon Q Developer for Visual Studio Code Extension (version 1.84.0)

Scope: Amazon/AWS Content Type: Important (requires attention) Publication Date: 2025/07/23 8:30 AM PDT Description: AWS Client VPN is a managed client-based VPN service that enables secure access to AWS and on-premises resources. The AWS Client VPN client software runs on end-user devices, supporting Windows, macOS, and Linux and provides the ability for end users to establish a secure tunnel to the AWS Client VPN Service. We identified CVE-2025-###, an issue in AWS Client VPN. During the AWS Client VPN client installation on Windows devices, the install process references the C:\usr\local\windows-x86_64-openssl-localbuild\ssl directory location to fetch the OpenSSL configuration file. As a result, a non-admin user could place arbitrary code in the configuration file. If an admin user starts the AWS Client VPN client installation process, that code could be executed with root-level privileges. This issue does not affect Linux or Mac devices. Affected version: 4.1.0, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.2.0, 5.2.1

Scope: Amazon Content Type: Informational Publication Date: 2025/06/12 10:30 AM PDT Description Amazon Cloud Cam is a home security camera that was deprecated on December 2, 2022, is end of life, and is no longer actively supported. When a user powers on the Amazon Cloud Cam, the device attempts to connect to a remote service infrastructure that has been deprecated due to end-of-life status. The device defaults to a pairing status in which an arbitrary user can bypass SSL pinning to associate the device to an arbitrary network, allowing for network traffic interception and modification. Affected version: All