This is an update for this issue.
Binaries of AWS IoT Greengrass Core V1 (1.10.4 and 1.11.3) with patched runC are now available for download (https://docs.aws.amazon.com/greengrass/v1/developerguide/what-is-gg.html). An updated Greengrass V2 Lambda Launcher v2.0.6 (https://docs.aws.amazon.com/greengrass/v2/developerguide/lambda-launcher-component.html) is also available in the AWS IoT console. We recommend Greengrass customers upgrade to the latest binaries and Lambda Launcher to incorporate the latest runC patch.
You are viewing a previous version of this security bulletin.
AWS is aware of the recently disclosed security issue in runC which is a component of many container management systems (CVE-2021-30465). With the exception of the AWS services listed below, no customer action is required to address this issue.
Amazon Elastic Container Service (Amazon ECS)
Amazon ECS has released updated ECS-optimized Amazon Machine Images (AMIs) with the patched container runtime on May 21, 2021. More information about the ECS-optimized AMI is available at https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html.
To resolve this issue in the meantime, we recommend that ECS customers perform a yum update --security to obtain this patch. More information is available at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/install-updates.html.
Amazon Elastic Kubernetes Service (Amazon EKS)
Amazon EKS has released updated EKS-optimized Amazon Machine Images (AMIs) with the patched container runtime. More information about the EKS-optimized AMI is available at https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
We recommend that EKS customers replace all worker nodes to use the latest EKS-optimized AMI version. Instructions on updating worker nodes are available at https://docs.aws.amazon.com/eks/latest/userguide/update-workers.html.
Amazon has released Bottlerocket AMIs and in-place updates. Updating to the latest in-place update or replacing instances with the latest AMIs will resolve this issue.
If you are using the Bottlerocket Update Operator for Kubernetes, you should expect nodes to begin updating within one day and all nodes within one week. Customers can upgrade faster manually via two API calls: apiclient set updates.ignore-waves=true and apiclient update apply --check --reboot. Once updates are completed, revert to the default setting with apiclient set updates.ignore-waves=false.
Amazon Linux and Amazon Linux 2
An updated version of runc is available for Amazon Linux 2 extras repositories (*runc-1.0.0-0.2.20210225.git12644e6.amzn2*) and Amazon Linux AMI 2018.03 repositories (*runc-1.0.0-0.2.20210225.git12644e6.3.amzn1*). AWS recommends that customers using containers in Amazon Linux update to the latest version of runc and restart any running containers.
An updated version of the AWS Cloud9 environment with Amazon Linux is available. By default, customers will have security patches applied on first boot. Customers who have existing EC2-based AWS Cloud9 environments should launch new instances from the latest AWS Cloud9 version. Further information is available in the Amazon Linux Security Center (https://alas.aws.amazon.com/).
AWS Cloud9 customers who use SSH environments that are not built with Amazon Linux should contact their operating system vendor for the updates necessary to address these issues.
AWS IoT Greengrass
Updated AWS IoT Greengrass Core V1 binaries and Greengrass V2 Lambda Launcher will be available by June 15th as the latest versions of Greengrass. This bulletin will be updated once the patches are available.
Greengrass uses the runC library to execute Lambda functions inside an OCI compliant container on Greengrass Core devices. The Lambda functions deployed to Greengrass Cores are provided to Greengrass via authenticated authorized cloud APIs, authenticated authorized local CLI (if enabled), or through local root access. This means that Greengrass will only deploy and execute Lambda functions that were intended, and no action is necessary as long as Lambda functions are deployed from trusted sources. As a best practice, customers should only deploy Lambdas from trusted sources.
AWS Deep Learning AMI
Updated versions of the Deep Learning Base AMI and Deep Learning AMI for Amazon Linux and Amazon Linux2 are available in the AWS EC2 console and AWS Marketplace. AWS recommends that customers who have used Docker with their Deep Learning Base AMI or Deep Learning AMI launch new instances of the latest AMI version (v35.0 or later for Deep Learning Base AMI on Amazon Linux, v38.0 or later for Deep Learning Base AMI on Amazon Linux2, v45.0 or later for Deep Learning Base AMI on Amazon Linux and Amazon Linux2). Additional information is available in the Amazon Linux Security Center.
After AMI Update:
An updated Amazon ECS Optimized AMI is available as the default Compute Environment AMI. We recommend that Batch customers replace their existing Compute Environments with the latest available AMI. Instructions for replacing the Compute Environment are available in the Batch product documentation
Batch customers who do not use the default AMI should contact their operating system vendor for the updates necessary to address these issues. Instructions for Batch custom AMI are available in the Batch product documentation (https://docs.aws.amazon.com/batch/latest/userguide/create-batch-ami.html).
AWS Elastic Beanstalk
Updated AWS Elastic Beanstalk Docker-based platform versions are available. We recommend customers update immediately by going to the Managed Updates configuration page and clicking on the "Apply Now" button. Customers who have not enabled Managed Platform Updates can update their environment's platform version by following instructions here. Customers using Managed Platform Updates will be automatically updated to the latest platform version in their selected maintenance window with no action required. Release notes are also available.