Third Update: 2016/05/28 4:30 PM PDT
Second Update: 2016/05/07 2:30 PM PDT
First Update: 2016/05/03 11:00 AM PDT
Original Bulletin: 2016/05/03 7:30 AM PDT
We are aware of the OpenSSL advisory posted at https://www.openssl.org/news/secadv/20160503.txt. The OpenSSL project team has released OpenSSL versions 1.0.2h and 1.0.1t.
AWS infrastructure typically accessed by web browsers, eg. the AWS Management Console, S3, CloudFront, and ELB, prefers and recommends AES-GCM TLS/SSL cipher suites. Therefore, customer interactions with AWS via modern web browsers or client applications which appropriately negotiate AES-GCM for TLS/SSL are not impacted by this issue.
Consistent with AWS recommended security best practices, AWS strongly encourages customers to upgrade to the latest OpenSSL for improved security and stability in their own AWS deployed environments and client applications.
An updated OpenSSL package is available within the Amazon Linux repositories. Instances launched with the default Amazon Linux configuration on or after 2016/05/03 will automatically include the updated package. Customers with existing Amazon Linux AMI instances should run the following command to ensure they receive the updated package:
yum update openssl
More information on the updated Amazon Linux package is available at the Amazon Linux AMI Security Center.
AWS will appropriately update OpenSSL to improve security for AWS customers who are utilizing outdated web browsers that cannot negotiate the AWS preferred and recommended AES-GCM TLS/SSL cipher suites when interacting with the AWS Management Console.
AWS has updated OpenSSL for S3, ELB, and CloudFront to assist AWS customers who vend TLS/SSL-protected content accessed by outdated web browsers that cannot negotiate the AWS preferred and recommended AES-GCM TLS/SSL cipher suites.
No other customer action outside of updating Amazon Linux instances is required.