CVE Identifier: CVE-2020-8558
This is an update for this issue.
AWS is aware of a security issue, recently disclosed by the Kubernetes community, affecting Linux container networking (CVE-2020-8558). This issue may allow containers running on the same host, or adjacent hosts (hosts running in the same LAN or layer 2 domain), to reach TCP and UDP services bound to localhost (127.0.0.1).
All AWS security controls to maintain isolation between customers in Amazon ECS and Amazon EKS continue to work correctly. This issue presents no risk of cross-account data access. Processes within a container on one host may be able to gain unintended network access to other containers on that same host or on other hosts within the same VPC and subnet. Customer action is required, and steps for immediate mitigation are available at https://github.com/aws/containers-roadmap/issues/976. All Amazon ECS and Amazon EKS customers should update to the latest AMI.
AWS Fargate
AWS Fargate is not affected. No customer action is required.
Amazon Elastic Container Service (Amazon ECS)
Updated Amazon ECS Optimized AMIs are now available. As a general security best practice, we recommend that ECS customers update their configurations to launch new container instances from the latest AMI version.
Customers can upgrade their AMIs by referring to the ECS documentation.
Amazon Elastic Kubernetes Service (Amazon EKS)
Updated Amazon EKS-Optimized AMIs are now available. As a general security best practice, we recommend that EKS customers update their configurations to launch new worker nodes from the latest AMI version.
Customers using Managed node groups can upgrade their node groups by referring to the EKS documentation. Customers self managing worker nodes should replace existing instances with the new AMI version by referring to the EKS documentation.
CVE Identifier: CVE-2020-8558
You are viewing a previous version of this security bulletin.
AWS is aware of a security issue, recently disclosed by the Kubernetes community, affecting Linux container networking (CVE-2020-8558). This issue may allow containers running on the same, or adjacent hosts (hosts running in the same LAN or layer 2 domain), to reach TCP and UDP services bound to localhost (127.0.0.1).
AWS Fargate is not affected. No customer action is required.
All AWS security controls to maintain isolation between customers in Amazon ECS and Amazon EKS continue to work correctly. This issue presents no risk of cross-account data access. Processes within a container on one host may be able to gain unintended network access to other containers on that same host or on other hosts within the same VPC and subnet. Customer action is required, and steps for immediate mitigation are available at: https://github.com/aws/containers-roadmap/issues/976
We will be releasing updated Amazon Machine Images for both Amazon ECS and Amazon EKS, and customers should update to these AMIs as soon as they are available.
AWS Fargate
AWS Fargate is not affected. No customer action is required.
Amazon Elastic Container Service (Amazon ECS)
Amazon ECS will be releasing updated ECS Optimized AMIs including the Amazon Linux AMI, Amazon Linux 2 AMI, GPU-Optimized AMI, ARM-Optimized AMI, and Inferentia-Optimized AMI on July 9, 2020. Updating to use one of these AMIs will mitigate the issue. We will update this bulletin when updated AMIs are available.
Amazon Elastic Kubernetes Service (Amazon EKS)
Amazon EKS will be releasing updated EKS Optimized AMIs including the Amazon Linux 2 EKS-Optimized AMI and EKS-Optimized accelerated AMI for Kubernetes 1.14, 1.15, and 1.16 on July 9, 2020. Updating to use one of these AMIs will mitigate the issue. We will update this bulletin when updated AMIs are available.