Posted On: Apr 7, 2014

Amazon Linux AMI Security Advisory: ALAS-2014-320
Advisory Release Date: Apr 7, 2014
Severity: critical
References: CVE-2014-0160, OpenSSL upstream notification, heartbleed.com

Issue Overview:

A missing bounds check was found in the way OpenSSL handled TLS heartbeat extension packets. This flaw could be used to reveal up to 64k of memory from a connected client or server.


Affected Versions:

Any Amazon Linux AMI on which openssl 1.0.1 is installed, which is any Amazon Linux AMI 2013.03 or later, and any Amazon Linux AMI that has upgraded to 2013.03 or later. OpenSSL is installed by default on the Amazon Linux AMI.


Affected Packages:

openssl


Issue Correction:

Run yum update openssl to update your system.  Once the new package is installed, it is required that you either manually restart all services that are using openssl, or that you reboot your instance.  While the new package is still named openssl-1.0.1e, it does contain the fix for CVE-2014-0160.


New Packages:

i686:

    openssl-1.0.1e-37.66.amzn1.i686

    openssl-static-1.0.1e-37.66.amzn1.i686

    openssl-perl-1.0.1e-37.66.amzn1.i686

    openssl-devel-1.0.1e-37.66.amzn1.i686

    openssl-debuginfo-1.0.1e-37.66.amzn1.i686

x86_64:

    openssl-devel-1.0.1e-37.66.amzn1.x86_64

    openssl-1.0.1e-37.66.amzn1.x86_64

    openssl-debuginfo-1.0.1e-37.66.amzn1.x86_64

    openssl-perl-1.0.1e-37.66.amzn1.x86_64

    openssl-static-1.0.1e-37.66.amzn1.x86_64