You are viewing a previous version of this security bulletin. For the most current version please visit: "L1 Terminal Fault Speculative Execution Issue".
August 14, 2018 11:00 AM PDT
CVE Identifiers: CVE-2018-3620, CVE-2018-3646
Intel has published a security advisory (INTEL-SA-00161) regarding a new side-channel analysis method concerning their processors called "L1 Terminal Fault" (L1TF). AWS has designed and implemented its infrastructure with protections against these types of attacks, and has also deployed additional protections for L1TF. All EC2 host infrastructure has been updated with these new protections, and no customer action is required at the infrastructure level.
Updated kernels for Amazon Linux AMI 2017.09 (ALAS-2018-1058), Amazon Linux AMI 2018.03 (ALAS-2018-1058), and Amazon Linux 2 (ALAS-2018-1058) are available in the respective repositories. As a general security best practice, we recommend that customers patch their operating systems or software as relevant patches become available to address emerging side-channel issues.
New AMIs with the updated kernels are being prepared. This bulletin will be updated after these AMIs are available.
Meanwhile, we suggest using the stronger security and isolation properties of EC2 instances rather than relying on operating system process boundaries or containers when workloads execute with different security privileges.