Amazon Web Services Latest Security Bulletins

Publication Date: 2024/04/19 09:00 AM PDT AWS is aware of a recent Cyber Safety Review Board (CSRB) report regarding a 2023 Microsoft Online Exchange issue. We are not affected by the issues described in this report and no customer action is required. At AWS, security is our top priority. Every AWS customer benefits from the fact that we have the most operational experience of any cloud provider. We designed AWS from its very foundation to be the most secure way for our customers to run their workloads, and built our internal culture around security as a business imperative. The security of the AWS cloud is unique and differentiated by our technology, culture, and practices. To learn more, please refer to our “How the unique culture of security at AWS makes a difference” blog post.  

Publication Date: 2024/04/15 07:00 AM PST AWS is aware of CVE-2024-28056, which affects Amplify CLI versions prior to 12.10.1 and Amplify Studio, which uses Amplify CLI. We released a fix to Amplify CLI on January 10, 2024 that also fixed Amplify Studio, and recommend customers upgrade to Amplify CLI 12.10.1 or higher to address this issue. We have proactively communicated with the customers using affected versions. AWS has taken two additional steps to protect customers using Amplify from unintentional misconfigurations. First, AWS added a mitigation to the AWS Security Token Service (STS) where attempts to make a cross-account role assumption with a trust policy referencing Amazon Cognito as the trusted principal, without conditions to scope down access to specific Amazon Cognito Identity Pools using the aud claim, will fail. As a result, cross-account access will no longer be possible with policies created by earlier unpatched versions of Amplify. Second, AWS added a mitigation to the AWS Identity and Access Management (IAM) control plane such that any attempt to create a role trust policy that references Amazon Cognito as the trusted principal, without adding conditions restricting access, will fail.   We would like to thank Datadog for responsibly disclosing this issue to AWS. Please email aws-security@amazon.com with any security questions or concerns.

Publication Date: 2024/03/29 12:30 PM PST CVE Identifier: CVE-2024-3094 AWS is aware of CVE-2024-3094, which affects versions 5.6.0 and 5.6.1 of the xz-utils package. This issue may attempt to introduce security issues in openssh through the use of liblzma within some operating system environments. Amazon Linux customers are not affected by this issue, and no action is required. AWS infrastructure and services do not utilize the affected software and are not impacted. Users of Bottlerocket are not affected. Customers using other operating systems are advised to refer to information provided by the OS vendor to address any concerns originating from this reported issue. Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.

Publication Date: 2024/01/31 1:30 PM PST CVE Identifier: CVE-2024-21626 AWS is aware of a recently disclosed security issue affecting the runc component of several open source container management systems (CVE-2024-21626). With the exception of the AWS services listed below, no customer action is required to address this issue. Amazon Linux An updated version of runc is available for Amazon Linux 1 (runc-1.1.11-1.0.amzn1), Amazon Linux 2 (runc-1.1.11-1.amzn2) and for Amazon Linux 2023 (runc-1.1.11-1.amzn2023). AWS recommends that customers using runc or other container-related software apply those updates or a newer version. Further information is available in the Amazon Linux Security Center. Bottlerocket OS An updated version of runc will be included in Bottlerocket 1.19.0, which will be released by February 2, 2024. AWS recommends that customers using Bottlerocket apply this update or a newer version. Further information will be posted in the Bottlerocket Security Advisories and the Bottlerocket Release Notes. Amazon Elastic Container Service (ECS) This CVE has been patched in runc, and an updated version of runc, version 1.1.11-1, is available as part of the latest Amazon ECS-optimized Amazon Machine Images (AMIs) released on January 31, 2024. 

We recommend that ECS customers update to these AMIs (or the latest available) or perform a “yum update —security” to obtain this patch. Please refer to the “Amazon ECS-optimized AMI” user guide for additional information.   Amazon Elastic Kubernetes Services (EKS) Amazon EKS has released updated EKS-optimized Amazon Machine Images (AMIs) version v20240129 with the patched container runtime. Customers using Managed node groups can upgrade their node groups by referring to the EKS documentation. Customers using Karpenter can update their nodes by following the documentation on drift or AMI selection. Customers using self-managing worker nodes can replace existing nodes by referring to the EKS documentation.

 Amazon EKS Fargate will have an update available for new pods on clusters by February 1, 2024, and will display a Kubelet version ending in eks-680e576. Customers can verify the version of their nodes by running kubectl get nodes. Customers should delete their existing pods to receive the patch after February 2, 2024. Please refer to the “Getting started with AWS Fargate using Amazon EKS” documentation for information on deleting and creating Fargate pods. Amazon EKS Anywhere has released updated images version v0.18.6 with the patched container runtime. Customers can refer to the EKS Anywhere “Upgrade cluster” documentation on how to upgrade clusters to use patched VM images. AWS Elastic Beanstalk Updated AWS Elastic Beanstalk Docker- and ECS-based platform versions are available. Customers using Managed Platform Updates will be automatically updated to the latest platform version in their selected maintenance window with no action required. Customers can update immediately by going to the Managed Updates configuration page and clicking on the “Apply now” button. Customers who have not enabled Managed Platform Updates can update their environment’s platform version by following the “Updating your Elastic Beanstalk environment’s platform version” user guide. Finch An updated version of runc is available for Finch in the latest release, v1.1.0. Customers should upgrade their Finch installation on macOS to address this issue. Finch releases can be downloaded through the project’s GitHub release page or by running “brew update” if you installed Finch via Homebrew. AWS Deep Learning AMI The affected runc package is a part of our Amazon Linux 2 Deep Learning AMI. This runc package is pulled from upstream Amazon Linux 2 releases. Deep Learning AMI will automatically consume the latest patched package once it becomes available from the Amazon Linux Team. Once released, affected customers will need to pull in the latest Deep Learning AMI to consume the latest runc updates to mitigate the issue. AWS Batch An updated Amazon ECS Optimized AMI as the default Compute Environment AMI is available. As a general security best practice, we recommend that Batch customers replace their existing Compute Environments with the latest AMI. Instructions for replacing the Compute Environment are available in the Batch product documentation. Batch customers who do not use the default AMI should contact their operating system vendor for the updates necessary to address these issues. Instructions for Batch custom AMI are available in the Batch product documentation. Amazon SageMaker Any SageMaker resources, including SageMaker Notebook Instances, SageMaker Training Jobs, SageMaker Processing Jobs, SageMaker Batch Transform Jobs, SageMaker Studio and SageMaker Inference, created or restarted after February 2, 2024, will automatically use the patch. For SageMaker Inference, any live endpoints that were not recreated, will be automatically patched by February 7, 2024.   Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.

Publication Date: 2023/10/02 02:00 PM EDT AWS is aware of CVE-2023-43654 and CVE-2022-1471 in PyTorch TorchServe versions 0.3.0 to 0.8.1, which use a version of the SnakeYAML v1.31 open source library. TorchServe version 0.8.2 resolves these issues. AWS recommends customers using PyTorch inference Deep Learning Containers (DLC) 1.13.1, 2.0.0, or 2.0.1 in EC2, EKS, or ECS released prior to September 11, 2023, update to TorchServe version 0.8.2. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker are not affected. Customers can use the following new image tags to pull DLCs that ship with patched TorchServe version 0.8.2: The full DLC image URI details can be found at: https://github.com/aws/deep-learning-containers/blob/master/available_images.md#available-deep-learning-containers-images. We would like to thank Oligo Security for responsibly disclosing this issue and working with the PyTorch maintainers on its resolution. If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

Publication Date: 2023/08/23 10:00 AM PDT AWS is aware of three security issues (CVE-2023-3676, CVE-2023-3893, CVE-2023-3955) in Kubernetes that affect Amazon EKS customers with Windows EC2 nodes in their clusters. These issues do not affect any Kubernetes control plane or the service itself, nor do these issues permit cross-customer impact. Updated Amazon EKS Windows AMIs are now available for Kubernetes versions 1.23 through 1.27 that include patched builds of kubelet and csi-proxy. We recommend that EKS customers update their configurations to launch new worker nodes from the latest AMI version. Customers using Managed node groups can refer to the EKS Documentation for instructions on upgrading their node groups. Customers self-managing worker nodes should replace existing instances with the new AMI version by referring to the EKS documentation. If you have questions or concerns about these updates, please reach out to AWS Support. Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.

Publication Date: 2023/08/08 11:30AM PDT AWS is aware of CVE-2023-20569, also known as “RAS Poisoning” or “Inception”. AWS customers’ data and instances are not affected by this issue, and no customer action is required. AWS has designed and implemented its infrastructure with protections against this class of issues. Amazon EC2 instances, including Lambda, Fargate, and other AWS-managed compute and container services, protect customer data against Inception through microcode and software-based mitigations. Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.

Publication Date: 2023/08/08 1:00 PM PDT AWS is aware of CVE-2022-40982, also known as “Gather Data Sampling” (GDS) or “Downfall”. AWS customers’ data and instances are not affected by this issue, and no customer action is required. AWS has designed and implemented its infrastructure with protections against this class of issues. Amazon EC2 instances, including Lambda, Fargate, and other AWS-managed compute and container services protect customer data against GDS through microcode and software based mitigations. Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.

Publication Date: 2023/08/01 10:00AM PDT AWS is aware of recently-published security research describing software-based power side-channel concerns, otherwise known as ”Collide+Power“. AWS customers’ data and instances are not impacted by this issue, and no customer action is required. AWS has designed and implemented its infrastructure with protections against these types of concerns. Amazon EC2 instances, including Lambda, Fargate, and other AWS-managed compute and container services, do not expose power measurement mechanisms, such as Running Average Power Limit (RAPL) or similar interfaces, within the virtualized environment. We would like to thank the Graz University of Technology and CISPA Helmholtz Center for Information Security for responsibly disclosing this issue and working with us on its resolution. Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.