You are viewing a previous version of this security bulletin. For the most current version please visit: "Container Security Issue (CVE-2019-5736)".

February 11, 2019 7:00 AM PST

CVE Identifier: CVE-2019-5736

AWS is aware of the recently disclosed security issue which affects several open-source container management systems (CVE-2019-5736). With the exception of the AWS services listed below, no customer action is required to address this issue.

Amazon Linux

An updated version of Docker is available for Amazon Linux 2 (ALAS-2019-1156) and Amazon Linux AMI 2018.03 repositories (ALAS-2019-1156). AWS recommends that customers using Docker in Amazon Linux launch new instances from the latest AMI version. Further information is available in the Amazon Linux Security Center.

Amazon Elastic Container Service (Amazon ECS)

Updated Amazon ECS Optimized AMIs, including the Amazon Linux AMI, the Amazon Linux 2 AMI, and the GPU-Optimized AMI, will be available on February 11th, 2019. We will update this bulletin when updated AMIs are available. As a general security best practice, we recommend that ECS customers update their configurations to launch new container instances from the latest AMI version. Customers should replace existing container instances with the new AMI version to address the issue described above. Instructions on how to do so can be found in the ECS documentation for the Amazon Linux AMI, the Amazon Linux 2 AMI, and the GPU-Optimized AMI.

Linux customers who do not use the ECS Optimized AMI are advised to consult with the vendor of the alternative / third-party operating system, software, or AMI for updates and instructions as needed. Instructions about Amazon Linux are available in the Amazon Linux Security Center.

Amazon Elastic Container Service for Kubernetes (Amazon EKS)

An updated Amazon EKS Optimized AMI will be available on February 11th, 2019. We will update this bulletin when updated AMIs are available. As a general security best practice, we recommend that EKS customers update their configurations to launch new worker nodes from the latest AMI version. Customers should replace existing worker nodes with the new AMI version to address the issue described above. Instructions on how to update worker nodes can be found in the EKS documentation.

Linux customers who do not use the EKS Optimized AMI should contact their operating system vendor for the updates necessary to address these issues. Instructions about Amazon Linux are available in the Amazon Linux Security Center.

AWS Fargate

An updated version of Fargate is available for Platform Version 1.3 that mitigates the issues described in CVE-2019-5736. Patched versions of the older Platform Versions (1.0.0, 1.1.0, 1.2.0) will be made available by March 15th, 2019.

Customers running Fargate Services should call UpdateService with "--force-new-deployment" enabled to launch all new Tasks on the latest Platform Version 1.3. Customers running standalone tasks should terminate existing tasks, and re-launch using the latest version. Specific instructions can be found in the Fargate update documentation.

All tasks that are not upgraded to a patched version will be retired by April 19th, 2019. Customers that use standalone tasks must launch new tasks to replace those that are retired. Additional details can be found in the Fargate Task Retirement documentation.

AWS IoT Greengrass

Updated versions of AWS IoT Greengrass core will be available on February 11th, 2019. This bulletin will be updated when patched versions become available. The updated versions require features available in Linux kernel version 3.17 or greater. Instructions on how to update your kernel can be found here.

As a general security best practice we recommend that customers running any version of Greengrass core upgrade to version 1.7.1. Instructions for updating over-the-air can be found here.

AWS Batch

An updated Amazon ECS Optimized AMI will be available February 11th, 2019, as the default Compute Environment AMI. This bulletin will be updated when the AMI is available. As a general security best practice we recommend that Batch customers replace their existing Compute Environments with the latest AMI after it is available. If a Batch customer needs to update immediately, they are advised to override the default AMI with the latest ECS Optimized AMI when creating a Compute Environment. Instructions for replacing the Compute Environment are available in the Batch product documentation.

Batch customers who do not use the default AMI should contact their operating system vendor for the updates necessary to address these issues. Instructions for Batch custom AMI are available in the Batch product documentation.

AWS Elastic Beanstalk

Updated AWS Elastic Beanstalk Docker-based platforms will be available February 11th, 2019. This bulletin will be updated when the new platform versions are available. Customers using Managed Platform Updates will be automatically updated to the latest platform version in their selected maintenance window with no action required. Customers can also update immediately by going to the Managed Updates configuration page and clicking on the "Apply Now" button. Customers who have not enabled Managed Platform Updates can update their environment's platform version by following instructions here.

AWS Cloud9

An updated version of the AWS Cloud9 environment with Amazon Linux is available. By default, customers will have security patches applied on first boot. Customers who have existing EC2-based AWS Cloud9 environments should launch new instances from the latest AWS Cloud9 version. Further information is available in the Amazon Linux Security Center.

AWS Cloud9 customers who use SSH environments that are not built with Amazon Linux should contact their operating system vendor for the updates necessary to address these issues.

AWS SageMaker

An updated version of Amazon SageMaker is available. Customers using Amazon SageMaker's default algorithm containers or framework containers for training, tuning, batch transform, or endpoints are not affected. Customers running labeling or compilation jobs are also not affected. Customers who are not using Amazon SageMaker notebooks to run Docker containers are not affected. Additionally, all Amazon SageMaker notebooks launched on February 11th or later with CPU instances include the latest updates and no customer action is required. All endpoints, labeling, training, tuning, compilation, and batch transform jobs launched on February 11th or later include the latest update and no customer action is required.

AWS recommends that customers running training, tuning, and batch transform jobs with custom code created before February 11th should stop and start their jobs to include the latest update. These actions can be done from the Amazon SageMaker console or by following the instructions here.

Amazon SageMaker automatically updates all endpoints that are in-service to the latest software every four weeks. All endpoints created before February 11th are expected to be updated by March 11th. If there are any issues with the automatic updates and customers are required to take action to update their endpoints, Amazon SageMaker will publish a notification in the customers’ Personal Health Dashboard. Customers who wish to update their endpoints sooner can manually update their endpoints from the Amazon SageMaker console or by using the UpdateEndpoint API action at any time. We recommend that customers who have endpoints with autoscaling enabled take the additional precaution of following the instructions here.

AWS recommends that customers running Docker containers in Amazon SageMaker notebooks running with CPU instances stop and start their Amazon SageMaker notebook instances to get the latest available software. This can be done from the Amazon SageMaker console. Alternately, customers can first stop the notebook instance using the StopNotebookInstance API and then start the notebook instance using the StartNotebookInstance API.

An updated version of Amazon SageMaker notebooks with GPU instances will be available for customers shortly after the Nvidia patches are released. This bulletin will be updated when there is an updated version available. Customers running Docker containers on notebooks with GPU instances can take preventative actions by temporarily stopping their notebook instances via the console, or by using the StopNotebookInstance API and then start the notebook instance using StartNotebookInstance once the updated version is available.

AWS RoboMaker

An updated version of AWS RoboMaker development environment will be available shortly after Canonical and Docker release patches. This bulletin will be updated when the update is available. As a general security best practice, AWS recommends that customers using RoboMaker development environments keep their Cloud9 environments updated to the latest version.

An updated version of AWS IoT Greengrass core will be available on February 11th, 2019. This bulletin will be updated when the updated version is available. All customers using RoboMaker Fleet Management should upgrade Greengrass core to the latest version once the updated Greengrass core is available. Customers should follow these instructions to receive the update.

AWS Deep Learning AMI

AWS recommends that customers who have used Docker with their Deep Learning AMI or Deep Learning Base AMI on Amazon Linux launch new instances of the latest AMI version and run the following command to upgrade Docker:

sudo yum upgrade docker

An updated version of the Deep Learning Base AMI and Deep Learning AMI will be available for download after all relevant security patches are released. This bulletin will be updated when the new AMIs are available.

Additional information is available in the Amazon Linux Security Center.

After Docker updates on Ubuntu are released for the issues outlined in CVE-2019-5736, AWS recommends that customers who have used Docker with their Deep Learning AMI or Deep Learning Base AMI on Ubuntu launch new instances of the latest AMI version and follow these instructions to upgrade Docker (ensure that all the installation steps are followed):

https://docs.docker.com/install/linux/docker-ce/ubuntu/#install-using-the-repository

AWS also recommends that customers monitor the Security Bulletin from Nvidia for updates to nvidia-docker2 and related products.