Security researchers reported incorrect behavior in the SSL certificate validation mechanisms of some software development kits (SDKs) and application programming interface (API) tools maintained by AWS and third parties. Specifically, researchers identified versions of Elastic Cloud Compute (EC2) API tools, Elastic Load Balancing (ELB) API tools, and Flexible Payments Software (FPS) SDKs which may perform incorrect validation of SSL certificates. The incorrect SSL certificate validation reported in EC2 and ELB API tools could potentially allow a man-in-the-middle attacker to read, but not successfully modify, signed AWS REST/Query requests intended for secure (HTTPS) EC2 or ELB API endpoints. These issues do not allow an attacker to access customer instances or manipulate customer data. The incorrect SSL certificate validation reported in the FPS SDKs could potentially allow an attacker to read, but not successfully modify, signed AWS REST requests intended for secure (HTTPS) FPS API endpoints, and may also impact merchant applications that utilize Amazon Payments Software SDKs to verify FPS responses to Instant Payment Notification verification.
To address these issues, AWS has released updated versions of the affected SDKs and API tools, which can be found here:
EC2 API Tools
ELB API Tools
Amazon Payments Software Updates
AWS has addressed similar issues for additional SDKs and API tools; releasing updated versions, which can be found here:
Auto Scaling Command Line Tool
AWS CloudFormation Command Line Tools
Bootstrapping Applications using AWS CloudFormation
Amazon CloudFront Authentication Tool for Curl
Amazon CloudWatch Command Line Tool
Amazon CloudWatch Monitoring Scripts for Linux
Amazon EC2 VM Import Connector for VMware vCenter
AWS Elastic Beanstalk Command Line Tool
Amazon ElastiCache Command Line Toolkit
Amazon Mechanical Turk Command Line Tools
Amazon Mechanical Turk SDK for .NET
Amazon Mechanical Turk SDK for Perl
Amazon Route 53 Authentication Tool for Curl
Ruby Libraries for Amazon Web Services
Amazon Simple Notification Service Command Line Interface Tool
Amazon S3 Authentication Tool for Curl
In addition to using the latest AWS SDKs and API tools, customers are encouraged to update underlying software dependencies. Suggested versions for underlying software dependencies can be found in the README file of the SDK or CLI tool package.
AWS continues to recommend the use of SSL for additional security and to protect AWS requests or their responses from being viewed in transit. Signed AWS REST/Query requests via HTTP or HTTPS are protected from third-party modification, and MFA-protected API access using AWS Multi-Factor Authentication (MFA) provides an extra layer of security over powerful operations, such as terminating Amazon EC2 instances or reading sensitive data stored in Amazon S3.
For more information about signing AWS REST/Query requests, please see:
For more information about MFA-protected API access, please see:
AWS would like to thank the following individuals for reporting these issues and sharing our passion for security:
Martin Georgiev, Suman Jana, and Vitaly Shmatikov of the University of Texas at Austin
Subodh Iyengar, Rishita Anubhai, and Dan Boneh of Stanford University
Security is our top priority. We remain committed to providing features, mechanisms, and assistance for our customers to realize a secure AWS infrastructure. AWS security-related questions or concerns can be brought to our attention via email@example.com.