September 29, 2009
A vulnerability in certain versions of the Linux kernel allows local users to gain privilege. In response, EC2 has released patched 2.6.18 and 2.6.21 kernels (AKI) and ramdisks (ARI). We suggest that EC2 users update their AMIs and relaunch their affected instances to take advantage of the patched kernels.
Detailed information about the vulnerability and patch are available at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692 Note that this vulnerability affects all Linux kernels 2.6.0 through 18.104.22.168 unless patched.
To take advantage of these new kernels and ramdisks, users will need to rebuild existing AMI and update the references to both the AKI and ARI. This process is outlined in an AWS Developer-Resources tutorial: http://developer.amazonwebservices.com/connect/entry.jspa?externalID=2865
2.6.21 kernels are available as:
The appropriate modules are in ec2-downloads and the full source is here: http://ec2-downloads.s3.amazonaws.com/linux-22.214.171.124-2.fc8xen-ec2-v1.0-src.tgz
2.6.18 kernels are available as:
The appropriate modules are in ec2-downloads and the full source is here: http://ec2-downloads.s3.amazonaws.com/xen-3.1.0-src-ec2-v1.2.tgz