You are viewing a previous version of this security bulletin. For the most current version please visit: "Processor Speculative Execution Research Disclosure".

Concerning: CVE-2017-5715, CVE-2017-5753, CVE-2017-5754

Update As Of: 2018/01/12 17:00 PST

This is an update for this issue.

A second kernel release for Amazon Linux has been made available, which addresses KPTI bugs and improves mitigations for CVE-2017-5754. Customers must upgrade to the latest Amazon Linux kernel or AMI to effectively mitigate process-to-process concerns of CVE-2017-5754 within their instance. See “Amazon Linux AMI” information further below.  

Please see “PV Instance Guidance” information further below concerning para-virtualized (PV) instances.

Amazon EC2

All instances across the Amazon EC2 fleet are protected from all known instance-to-instance concerns of the CVEs previously listed. Instance-to-instance concerns assume an untrusted neighbor instance could read the memory of another instance or the AWS hypervisor. This issue has been addressed for AWS hypervisors, and no instance can read the memory of another instance, nor can any instance read AWS hypervisor memory. As we’ve stated, we haven’t observed meaningful performance impact for the overwhelming majority of EC2 workloads.

We have identified a small number of instance and application crashes caused by the Intel microcode updates, and are working directly with affected customers. We just completed deactivating portions of the new Intel CPU microcode for the platforms in AWS where we were seeing these issues. This has appeared to mitigate the issue for these instances. All instances across the Amazon EC2 fleet remain protected from all known threat vectors. The disabled Intel microcode provided additional protections against theoretical threat vectors from issue CVE-2017-5715. We expect to reactivate these additional protections (along with some additional performance optimizations we’ve been working on) in the near future once Intel provides updated microcode.

Recommended Customer Actions for AWS Batch, Amazon EC2, Amazon Elastic Beanstalk, Amazon Elastic Container Service, Amazon Elastic MapReduce, and Amazon Lightsail

While all customer instances are protected as described above, we recommend that customers patch their instance operating systems to isolate software running within the same instance and mitigate process-to-process concerns of CVE-2017-5754. For more details, refer to specific vendor guidance on patch availability and deployment.

Specific vendor guidance:

For operating systems not listed, customers should consult with their operating system or AMI vendor for updates and instructions.

PV Instance Guidance

After ongoing research and detailed analysis of operating system patches available for this issue, we have determined that operating system protections are insufficient to address process-to-process concerns within para-virtualized (PV) instances. While PV instances are protected by AWS hypervisors from any instance-to-instance concerns as described above, customers concerned with process isolation within their PV instances (eg. process untrusted data, run untrusted code, host untrusted users), are strongly encouraged to migrate to HVM instance types for longer-term security benefits.

For more information on the differences between PV and HVM (as well as instance upgrade path documentation), please see:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/virtualization_types.html

Please engage Support if you require assistance with an upgrade path for any PV instances.

Updates to other AWS services

The following services required patching of EC2 instances managed on behalf of customers, have completed all work, and no customer action is required:

  • Fargate
  • Lambda

Unless otherwise discussed below, all other AWS services do not require customer action.

Amazon Linux AMI (Bulletin ID: ALAS-2018-939)

An updated kernel for Amazon Linux is available within the Amazon Linux repositories. EC2 instances launched with the default Amazon Linux configuration on or after January 8th, 2018 will automatically include the updated package, which addresses KPTI bugs and improves mitigations for CVE-2017-5754.

NOTE: Customers must upgrade to the latest Amazon Linux kernel or AMI to effectively mitigate CVE-2017-5754 within their instance. We will continue to provide Amazon Linux improvements and updated Amazon Linux AMIs; incorporating open source Linux community contributions that address this issue as they become available.

Customers with existing Amazon Linux AMI instances should run the following command to ensure they receive the updated package:

sudo yum update kernel

As is standard for any update of the Linux kernel, after the yum update is complete, a reboot is required for updates to take effect.

More information on this bulletin is available at the Amazon Linux AMI Security Center.

For Amazon Linux 2, please follow instructions for Amazon Linux described above.

EC2 Windows

We have updated AWS Windows AMIs. These are now available for customers to use, and AWS Windows AMIs have the necessary patch installed and registry keys enabled.

Microsoft have provided Windows patches for Server 2008R2, 2012R2 and 2016. Patches are available through the built-in Windows Update Service for Server 2016. We are pending information from Microsoft on patch availability for Server 2003, 2008SP2 and 2012RTM.

AWS customers running Windows instances on EC2 that have "Automatic Updates" enabled should run automatic updates to download and install the necessary update for Windows when it is available.

Please note, Server 2008R2 and 2012R2 patches are currently unavailable through Windows Update requiring manual download. Microsoft previously advised these patches would be available Tuesday, January 9th, however we are still pending information on their availability.

AWS customers running Windows instances on EC2 that do not have “Automatic Updates” enabled should manually install the necessary update when it is available by following the instructions here: http://windows.microsoft.com/en-us/windows7/install-windows-updates.

Please note, for Windows Server, additional steps are required by Microsoft to enable their update’s protective features for this issue, described here: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution.

ECS Optimized AMI

We have released Amazon ECS Optimized AMI version 2017.09.f which incorporates all Amazon Linux protections for this issue, including the second Amazon Linux kernel update mentioned above. We advise all Amazon ECS customers to upgrade to this latest version which is available in the AWS Marketplace. We will continue to incorporate Amazon Linux improvements as they become available.

Customers that choose to update existing ECS Optimized AMI instances in place should run the following command to ensure they receive the updated package:

sudo yum update kernel

As is standard per any update of the Linux kernel, after the yum update is complete, a reboot is required for updates to take effect.

Linux customers who do not use the ECS Optimized AMI are advised to consult with the vendor of any alternative / third-party operating system, software, or AMI for updates and instructions as needed. Instructions about Amazon Linux are available in the Amazon Linux AMI Security Center.

We are updating the Amazon ECS-optimized Windows AMI, and we will update this bulletin when it is available. Microsoft have provided Windows patches for Server 2016. For details about how to apply the patches to running instances, see https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution.

Elastic Beanstalk

We have updated all Linux-based platforms to include all Amazon Linux protections for this issue. See the release notes for specific platform versions. We advise Elastic Beanstalk customers to update their environments to the latest available platform version. Environments using Managed Updates will be automatically updated during the configured maintenance window.

Windows-based platforms have also been updated to include all EC2 Windows protections for this issue. Customers are advised to update their Windows-based Elastic Beanstalk environments to the latest available platform configuration.

EMR

Amazon EMR launches clusters of Amazon EC2 instances running Amazon Linux on behalf of customers into the customer’s account. Customers concerned with process isolation within the instances of their Amazon EMR clusters should upgrade to the latest Amazon Linux kernel as recommended above. We are in the process of incorporating the latest Amazon Linux kernel into a new minor release on the 5.11.x branch and 4.9.x branch. Customers will be able to create new Amazon EMR clusters with these releases. We will update this bulletin as these releases become available.

For current Amazon EMR releases and any associated running instances customers may have, we recommend updating to the latest Amazon Linux kernel as recommended above. For new clusters, customers can use a bootstrap action to update the Linux kernel and reboot each instance. For running clusters, customers can facilitate the Linux kernel update and restart for each instance in their cluster in a rolling fashion. Please note that restarting certain processes can impact running applications within the cluster.

RDS

RDS-managed customer database instances are each dedicated to only running a database engine for a single customer, with no other customer-accessible processes and no ability for customers to run code on the underlying instance. As AWS has finished protecting all infrastructure underlying RDS, process-to-kernel or process-to-process concerns of this issue do not present a risk to customers. Most database engines RDS supports have reported no known intra-process concerns at this time. Additional database engine-specific details are below, and unless otherwise noted, there is no customer action required. We will update this bulletin as more information is available.

For RDS for SQL Server Database Instances, we will release OS and database engine patches as Microsoft makes each available, allowing customers to upgrade at a time of their choosing. We will update this bulletin when either has been completed. In the meantime, customers who have enabled CLR (disabled by default) should review Microsoft's guidance on disabling the CLR extension at https://support.microsoft.com/en-us/help/4073225/guidance-for-sql-server.

For RDS PostgreSQL and Aurora PostgreSQL, DB Instances running in the default configuration currently have no customer actions required. We will provide the appropriate patches for users of plv8 extensions once they are made available. In the meantime, customers who have enabled plv8 extensions (disabled by default) should consider disabling them and review V8's guidance at https://github.com/v8/v8/wiki/Untrusted-code-mitigations.

RDS for MariaDB, RDS for MySQL, Aurora MySQL, and RDS for Oracle database instances currently have no customer actions required.

VMware Cloud on AWS

Per VMware, “The remediation as documented in VMSA-2018-0002, has been present in VMware Cloud on AWS since early December 2017.”

Please refer to the VMware Security & Compliance Blog for more details and https://status.vmware-services.io for updated status.

WorkSpaces

AWS will apply security updates released by Microsoft to most AWS WorkSpaces over the coming weekend. Customers should expect their WorkSpaces to reboot during this period.

Bring Your Own License (BYOL) customers, and customers who have changed the default update setting in their WorkSpaces should manually apply the security updates provided by Microsoft.

Please follow the instructions provided by Microsoft security advisory at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002. The security advisory includes links to knowledge base articles for both Windows Server and Client operating systems that provide further specific information.

Updated WorkSpaces bundles will be available with the security updates soon. Customers who have created Custom Bundles should update their bundles to include the security updates themselves. Any new WorkSpaces launched from bundles that do not have the updates will receive patches soon after launch, unless customers have changed the default update setting in their WorkSpaces, in which case they should follow the above steps to manually apply the security updates provided by Microsoft.

WorkSpaces Application Manager (WAM)

We recommend that customers choose one of the following courses of action:

Option 1: Manually apply the Microsoft patches on running instances of WAM Packager and Validator by following the steps provided by Microsoft at https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution. This page provides further instructions and downloads for Windows Server.

Option 2: Rebuild new WAM Packager and Validator EC2 instances from updated AMIs for WAM Packager and Validator which will be available by end of day (2018/01/04).