August 16, 2018 2:45 PM PDT
CVE Identifiers: CVE-2018-3620, CVE-2018-3646
Intel has published a security advisory (INTEL-SA-00161) regarding a new side-channel analysis method concerning their processors called "L1 Terminal Fault" (L1TF). AWS has designed and implemented its infrastructure with protections against these types of attacks, and has also deployed additional protections for L1TF. All EC2 host infrastructure has been updated with these new protections, and no customer action is required at the infrastructure level.
Updated kernels for Amazon Linux AMI 2017.09 (ALAS-2018-1058), Amazon Linux AMI 2018.03 (ALAS-2018-1058), and Amazon Linux 2 (ALAS-2018-1058) are available in the respective repositories. As a general security best practice, we recommend that customers patch their operating systems or software as relevant patches become available to address emerging side-channel issues.
We have released new versions of the Amazon Linux and Amazon Linux 2 AMIs that automatically include the updated kernel. AMI IDs for images with the updated kernels can be found at Amazon Linux 2018.03 AMI IDs, Amazon Linux 2 AMI IDs, and in the AWS Systems Manager Parameter Store.
Meanwhile, we suggest using the stronger security and isolation properties of EC2 instances rather than relying on operating system process boundaries or containers when workloads execute with different security privileges.