Amazon Web Services Latest Security Bulletins

Scope: Amazon Content Type: Informational Publication Date: 2025/06/12 10:30 AM PDT Description Amazon Cloud Cam is a home security camera that was deprecated on December 2, 2022, is end of life, and is no longer actively supported. When a user powers on the Amazon Cloud Cam, the device attempts to connect to a remote service infrastructure that has been deprecated due to end-of-life status. The device defaults to a pairing status in which an arbitrary user can bypass SSL pinning to associate the device to an arbitrary network, allowing for network traffic interception and modification. Affected version: All Resolution: This product was end of life as of December 2, 2022 and should not be used. References: CVE-2025-6031 Acknowledgement: We would like to thank Willis Vandevanter for collaborating on this issue through the coordinated vulnerability disclosure process. Please email aws-security@amazon.com with any security questions or concerns.

Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/06/04 10:00 AM PDT Description FreeRTOS-Plus-TCP is an open source TCP/IP stack implementation specifically designed for FreeRTOS. The stack provides a standard Berkeley sockets interface and supports essential networking protocols including IPv6, ARP, DHCP, DNS, LLMNR, mDNS, NBNS, RA, ND, ICMP, and ICMPv6. FreeRTOS-Plus-TCP offers two Buffer Allocation Schemes for buffer management: Buffer Allocation Scheme 1 – Allocates buffers from a pre-defined pool of fixed-size buffers. Buffer Allocation Scheme 2 – Allocates buffers of required size dynamically from the heap. We identified CVE-2025-5688, that may allow out-of-bounds write when processing LLMNR or mDNS queries with very long DNS names. This issue only affects systems using Buffer Allocation Scheme 1 with LLMNR or mDNS enabled. Affected version: v2.3.4 through v4.3.1, if LLMNR is used with Buffer Allocation Scheme 1. v4.0.0 through v4.3.1, if mDNS is used with Buffer Allocation Scheme 1. Resolution: This issue has been addressed in FreeRTOS-Plus-TCP version 4.3.2. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes. Workarounds: None. References: CVE-2025-5688 GHSA-5x4f-fvv8-wr65 Acknowledgement: We would like to thank Purdue University for collaborating on this issue through the coordinated vulnerability disclosure process. Please email aws-security@amazon.com with any security questions or concerns.

Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/05/27 11:30 AM PDT Description Amazon Redshift Python Connector is a pure Python connector to Redshift (i.e., driver) that implements the Python Database API Specification 2.0. We identified CVE-2025-5279 an issue in the Amazon Redshift Python Connector, version 2.0.872 through 2.1.6. When the Amazon Redshift Python Connector is configured with the BrowserAzureOAuth2CredentialsProvider plugin, the driver skips the SSL certificate validation step for the Identity Provider (IdP). An insecure connection could allow an actor to intercept the token exchange process and retrieve an access token. This issue has been addressed in driver version 2.1.7. Users should upgrade to address this issue and ensure any forked or derivative code is patched to incorporate the new fixes. Affected version: >=2.0.872;<=2.1.6. Resolution: Upgrade Amazon Redshift Python Connector to version 2.1.7 and ensure any forked or derivative code is patched to incorporate the new fixes. References: CVE-2025-5279 GHSA-r244-wg5g-6w2r Please email aws-security@amazon.com with any security questions or concerns.

Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/05/05 11:00 AM PDT Description The AWS Amplify Studio amplify-codegen-ui is an AWS package that generates front-end code from UI Builder entities (components, forms, views, and themes), primarily used in Amplify Studio for component previews and in AWS Command Line Interface (AWS CLI) for generating component files in customers’ local applications We identified CVE-2025-4318, an input validation issue in Amplify Studio UI component properties. When importing a component schema using the create-component command, Amplify Studio will import and generate the component on the users’ behalf. The expression-binding function does not validate the component schema properties before converting them to expressions. As a result, an authenticated user who can create or modify components could run arbitrary JavaScript code during the component rendering and build process. We released a fix in 2.20.3 and recommend users upgrade to address this issue. Additionally, ensure any forked or derivative code is patched to incorporate the new fixes. Affected version: <=2.20.2 Resolution: The patches are included in Amplify Studio aws-amplify/amplify-codegen-ui version 2.20.3. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes. References: GHSA-hf3j-86p7-mfw8 CVE-2025-4318 Please email aws-security@amazon.com with any security questions or concerns.

Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/04/21 08:00 AM PDT Description Amazon.IonDotnet (ion-dotnet) is a .NET library with an implementation of the Ion data serialization format. We identified CVE-2025-3857, an infinite loop condition in Amazon.IonDotnet. When reading binary Ion data through this library using the RawBinaryReader class, Amazon.IonDotnet does not check the number of bytes read from the underlying stream while deserializing the binary format. If the Ion data is malformed or truncated, this triggers an infinite loop condition that could potentially result in a denial of service. We released a fix in version 1.3.1 and recommend users upgrade to address this issue. Additionally, ensure any forked or derivative code is patched to incorporate the new fixes. Affected version:  <=1.3.0 Resolution: The patches are included in Amazon.IonDotnet version 1.3.1. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes. References: GHSA-gm2p-wf5c-w3pj CVE-2025-3857 Acknowledgement: We would like to thank Symbotic for collaborating on this issue through the coordinated vulnerability disclosure process. Please email aws-security@amazon.com with any security questions or concerns.

Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/03/31 08:10 AM PDT Description The AWS Serverless Application Model Command Line Interface (AWS SAM CLI) is an open-source CLI tool that helps Lambda developers to build and develop Lambda applications locally on their computers using Docker. We have identified the following issues within the AWS SAM CLI. A fix has been released and we recommend users upgrade to the latest version to address these issues. Additionally, users should ensure any forked or derivative code is patched to incorporate the new fixes. CVE-2025-3047: When running the AWS SAM CLI build process with Docker and symlinks are included in the build files, the container environment allows a user to access privileged files on the host by leveraging the elevated permissions granted to the tool. A user could leverage the elevated permissions to access restricted files via symlinks and copy them to a more permissive location on the container. This issue affects AWS SAM CLI <= v1.132.0 and has been resolved in v1.133.0. To retain the previous behavior after upgrading and allow symlinks to resolve on the host machine, please use the explicit ‘–mount-symlinks’ parameter. CVE-2025-3048: After completing a build with AWS SAM CLI which include symlinks, the content of those symlinks are copied to the cache of the local workspace as regular files or directories. As a result, a user who does not have access to those symlinks outside of the Docker container would now have access via the local workspace. This issue affects AWS SAM CLI <= v1.133.0 and has been resolved in v1.134.0. After upgrading, users must re-build their applications using the sam build –use-container to update the symlinks. Affected version:  <= AWS SAM CLI v1.133.0 Resolution: CVE-2025-3047 has been addressed in version 1.133.0 and CVE-2025-3048 has been addressed in version 1.134.0. Users should upgrade to the latest version and ensure any forked or derivative code is patched to incorporate the new fixes. References: CVE-2025-3047 CVE-2025-3048 GHSA-px37-jpqx-97q9 GHSA-pp64-wj43-xqcr Acknowledgement: We would like to thank the GitHub Security Lab for collaborating on this issue through the coordinated vulnerability disclosure process. Please email aws-security@amazon.com with any security questions or concerns.

Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/03/27 02:30PM PDT Description The Update Framework (TUF) is a software framework designed to protect mechanisms that automatically identify and download updates to software. tough is a Rust client library for TUF repositories. AWS is aware of the following issues within tough, versions prior to 0.20.0. On March 27, 2025, we released a fix in tough 0.20.0 and recommend customers upgrade to address these issues and ensure any forked or derivative code is patched to incorporate the new fixes. CVE-2025-2885 relates to an issue with missing validation of the root metadata version number which could allow an actor to supply an unexpected version number to the client instead of the intended version in the root metadata file, altering the version fetched by the client. CVE-2025-2886 relates to an issue in the library’s ability to identify the correct signature to verify for content when terminating delegated roles are used. CVE-2025-2888 relates to an issue which caused the client to cache timestamp metadata despite it being correctly rejected when a rollback was detected. This could cause tough to subsequently fail to consume valid updates. CVE-2025-2887 relates to an issue with incomplete rollback detection when delegated roles are in use. This could lead to tough failing to detect rollbacks that it should have enough information to detect. Affected version: <0.20.0 Resolution: Patches for these issues are included in tough >=0.20.0. References: CVE-2025-2885 CVE-2025-2886 CVE-2025-2888 CVE-2025-2887 GHSA-5vmp-m5v2-hx47 GHSA-v4wr-j3w6-mxqc GHSA-q6r9-r9pw-4cf7 GHSA-76g3-38jv-wxh4 GHSA-j8x2-777p-23fc We would like to thank Google for collaborating on this issue through the coordinated vulnerability disclosure process. Please email aws-security@amazon.com with any security questions or concerns.

Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/03/24 09:00AM PDT Description Ingress Controllers are applications within a Kubernetes cluster that enable Ingress resources to function. AWS is aware of CVE-2025-1098, CVE-2025-1974, CVE-2025-1097, CVE-2025-24514, and CVE-2025-24513, which affect the Kubernetes ingress-nginx controller. Amazon Elastic Kubernetes Service (Amazon EKS) does not provide or install the ingress-nginx controller and is not affected by these issues. Customers who have installed this controller on their clusters should update to the latest version. We have proactively notified customers who were identified as having this controller installed. References: CVE-2025-1098 – GitHub Issue CVE-2025-1974 – GitHub Issue CVE-2025-1097 – GitHub Issue CVE-2025-24514 – GitHub Issue CVE-2025-24513 – GitHub Issue Please email aws-security@amazon.com with any security questions or concerns.

Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/03/21 07:00 AM PDT Description AWS identified CVE-2025-2598, an issue in the AWS Cloud Development Kit (AWS CDK) Command Line Interface (AWS CDK CLI), versions 2.172.0 through 2.178.1. The AWS CDK CLI is a command line tool that deploys AWS CDK applications onto AWS accounts. When customers run AWS CDK CLI commands with credential plugins and configure those plugins to return temporary credentials by including an expiration property, this issue can potentially result in the AWS credentials retrieved by the plugin to be printed to the console output. Any user with access to where the CDK CLI was ran would have access to this output. We have released a fix for this issue and recommend customers upgrade to version 2.178.2 or later to address this issue. Plugins that omit the expiration property are not affected. To validate if credentials have been printed to the console output, customers can take the following actions: Identify executions running CDK CLI that have started after December 6, 2024. Scan any logs of those executions to locate statements similar to the following: { accessKeyId: ‘<secret>’, secretAccessKey: ‘<secret>’, sessionToken: ‘<secret>’, expiration: <date>, ‘$source’: <object> } If you identify credentials, these can be viewed by users who have access to the console where the CDK CLI was ran. As such, we recommend you take appropriate action, which can include (but is not limited to): Revoke all temporary credentials obtained from the AWS IAM role used by the plugin. Limit the users who have access to the console output. Rotate long lived credentials of the AWS IAM user used by the plugin (if any). Please refer to our “AWS CDK CLI Library” for more information about custom credential plugins. Affected versions: 2.172.0 through 2.178.1 Resolution: The issue has been addressed in version 2.178.2. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes. References: GHSA-v63m-x9r9-8gqp CVE-2025-2598 Please email aws-security@amazon.com with any security questions or concerns.