2014/9/25 4:00 PM PDT - Update -
We have reviewed CVE-2014-6271 and CVE-2014-7169 and have determined that our APIs and backends are not affected, and except as noted below, our services are not affected.
These two CVEs affect the standard bash login shell, which is broadly deployed and used on Linux hosts. We recommend customers check all their Linux hosts to verify that they have up to date versions of the bash shell installed.
If you are using Amazon Linux, instances of the default Amazon Linux AMI launched after 2014/9/14 @12:30 PDT will have automatically installed these updates. For more information on updating Amazon Linux, please go here https://alas.aws.amazon.com/ALAS-2014-419.html
If you use one of the services listed below, please follow the instructions for each service you use to ensure your software is up to date.
Amazon Elastic MapReduce (EMR) – https://forums.aws.amazon.com/ann.jspa?annID=2630
AWS Elastic Beanstalk – https://forums.aws.amazon.com/ann.jspa?annID=2629
AWS OpsWorks and AWS CloudFormation customers should update their instance software according to these instructions:
Amazon Linux AMI - https://alas.aws.amazon.com/ALAS-2014-419.html
Ubuntu Server: http://www.ubuntu.com/usn/usn-2363-2/
Red Hat Enterprise Linux: https://access.redhat.com/security/cve/CVE-2014-7169
SuSE Linux Enterprise Server: http://support.novell.com/security/cve/CVE-2014-7169.html
2014/9/24 4:00 PM PDT - Update -
For CVE-2014-6271 the following requires action from our customers:
Amazon Linux AMI – A fix for CVE-2014-6271 has been pushed to the Amazon Linux AMI repositories, with a severity rating of Critical.
Our security bulletin for this issue is here -- https://alas.aws.amazon.com/ALAS-2014-418.html
By default, new Amazon Linux AMI launches will install this security update automatically.
For existing Amazon Linux AMI instances, you will need to run the command:
sudo yum update bash
The above command will install the update. Depending on your configuration, you may need to run the following command:
sudo yum clean all
For more information, please see https://aws.amazon.com/amazon-linux-ami/faqs/#auto_update
We will continue to provide updates in this security bulletin.
2014/9/24 9:00 AM PDT
We are aware of CVE 2014-6271 made public September 24th at 7AM PDT. We are currently reviewing AWS environments and will update this bulletin with more details shortly.