Third Update: 2016/04/21 - 10:00 AM PDT
Second Update: 2016/04/18 - 10:00 AM PDT
First Update: 2016/04/14 - 6:30 AM PDT
Original Bulletin: 2016/04/12 - 10:30 AM PDT
We have reviewed all AWS services for impact by CVE-2016-2118 (Samba) and CVE-2016-0128 (Microsoft), also known as "Badlock." With the exception of the services listed below, we have been able to verify that AWS services are unaffected.
Directory Service
Simple AD and Microsoft AD directories have been patched. We have determined that AD Connector directories are unaffected. No customer action is required.
EC2 Windows
We have updated the default Windows Server AMI — customers who launch new EC2 instances using the default Windows Server AMI on or after 2016/04/20 will already have the necessary update installed.
AWS customers running Windows instances on EC2 who have enabled the "Automatic Updates" feature within Windows are not required to take immediate action. Windows Automatic Updates should download and install the necessary update which will subsequently address this concern for Windows.
AWS customers running Windows instances on EC2 who have not enabled the "Automatic Updates" feature should manually install the necessary update by following the instructions here:
http://windows.microsoft.com/en-us/windows7/install-windows-updates
WorkSpaces
We are actively patching the default WorkSpaces image that is used on initial launch. We will update this security bulletin when the default image has been patched.
WorkSpaces enables Windows Automatic Updates by default, so customers that have not changed the Automatic Update settings will not need to take any immediate action. Customers who have changed the default update settings in their WorkSpace should manually install the necessary update by the following the instructions here:
http://windows.microsoft.com/en-us/windows7/install-windows-updates
Amazon Linux AMI (Samba package)
An updated Samba package is available within the Amazon Linux repositories. Instances launched with the default Amazon Linux configuration on or after 2016/04/13 will automatically include the updated package. Customers with existing Amazon Linux AMI instances should run the following command to ensure they receive the updated package:
yum update samba
More information on the updated Amazon Linux package is available at the Amazon Linux AMI Security Center.