September 29, 2009

A vulnerability in certain versions of the Linux kernel allows local users to gain privilege. In response, EC2 has released patched 2.6.18 and 2.6.21 kernels (AKI) and ramdisks (ARI). We suggest that EC2 users update their AMIs and relaunch their affected instances to take advantage of the patched kernels.

Detailed information about the vulnerability and patch are available at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692 Note that this vulnerability affects all Linux kernels 2.6.0 through 2.6.30.4 unless patched.

To take advantage of these new kernels and ramdisks, users will need to rebuild existing AMI and update the references to both the AKI and ARI. This process is outlined in an AWS Developer-Resources tutorial: http://developer.amazonwebservices.com/connect/entry.jspa?externalID=2865

2.6.21 kernels are available as:

US Region:

32-bit:

  • aki-6eaa4907
  • ari-e7dc3c8e
  • ami-48aa4921

64-bit:

  • aki-a3d737ca
  • ari-4fdf3f26
  • ami-f61dfd9f

EU Region:

32-bit:

  • aki-02486376
  • ari-aa6348de
  • ami-0a48637e

64-bit:

  • aki-f2634886
  • ari-a06348d4
  • ami-927a51e6

The appropriate modules are in ec2-downloads and the full source is here: http://ec2-downloads.s3.amazonaws.com/linux-2.6.21.7-2.fc8xen-ec2-v1.0-src.tgz

2.6.18 kernels are available as:

US region:

32-bit:

  • aki-f5c1219c
  • ari-dbc121b2

64-bit:

  • aki-e5c1218c
  • ari-e3c1218a

EU region:

32-bit:

  • aki-966a41e2
  • ari-906a41e4

64-bit:

  • aki-aa6a41de
  • ari-946a41e0

The appropriate modules are in ec2-downloads and the full source is here: http://ec2-downloads.s3.amazonaws.com/xen-3.1.0-src-ec2-v1.2.tgz