June 5, 2014
Update:
2014/06/10 9:00 AM PDT
All AWS services that were impacted by CVE-2014-0224 have been updated.
The following services that have been updated for CVE-2014-0224 will require steps from our customers to complete the update processes.
Amazon Linux AMI – An updated version of OpenSSL has been made available in our package repository. The updated package is openssl-1.0.1g-1.70.amzn1. Package openssl-1.0.1h-1.72.amzn1 has also been updated. Run “sudo yum update openssl” to update your Amazon Linux AMI Instance. Once the new package is installed, it is required that you either manually restart all services that are using openssl, or that you reboot your instance.
AWS Elastic Beanstalk – Updates completed. Please see the Elastic Beanstalk forum announcement (https://forums.aws.amazon.com/ann.jspa?annID=2509) for specific steps to finalize the update process.
Amazon Elastic MapReduce (EMR) – Updates completed. Customers using AMI 3.0 or later who wish to install the patch should run “sudo yum update openssl” on their cluster and restart any dependent services. Clusters launched after 06/05/2014 6:00 PDT will get the update automatically.
Amazon Relational Database Service (RDS) PostgreSQL Database Instances – We have completed the update to Amazon RDS for PostgreSQL database instances. The update will take effect after a reboot, which is scheduled to occur during customers’ next database instance maintenance windows. Please note that the reboot operation typically takes less than two minutes to complete and the database instance will be unavailable during that time.
To have the update take effect immediately, please execute the reboot operation for your PostgreSQL database instances from the AWS Management Console. https://console.aws.amazon.com/rds
All new Amazon RDS for PostgreSQL databases deployed after 9:45 pm PDT on June 5, 2014 already have the update applied. Amazon RDS for MySQL, Oracle, and SQL Server instances have not been affected by this issue.
Amazon RedShift – We have completed the update to Amazon Redshift data warehouse clusters. The update will take effect after a reboot, which is scheduled to occur during customers’ next cluster maintenance windows. Please note that the reboot operation typically takes less than two minutes to complete and the cluster will be unavailable during that time.
To have the update take effect immediately, customers can adjust their maintenance window settings from the AWS Management Console. https://console.aws.amazon.com/redshift
All new Amazon Redshift clusters deployed after 4:23 pm PDT on June 5, 2014 already have the update applied.
Amazon CloudFront – Updates completed, no customer actions required.
AWS CloudHSM – Updates completed, no customer actions required.
Amazon Elastic Load Balancing (ELB) – Updates completed, no customer actions required.
Amazon Simple Storage Service (S3) – Updates completed, no customer actions required.
Amazon Simple Notification Service (SNS) – Updates completed, no customer actions required.
Amazon Simple Queue Service (SQS) – Updates completed, no customer actions required.
All other services are not impacted.
Update:
2014/06/07 1:00 PM PDT
Here’s a status update for our services:
Amazon CloudFront – Updates completed, no customer actions required.
AWS CloudHSM – Updates completed, no customer actions required.
Amazon Elastic Load Balancing (ELB) – Updates completed, no customer actions required.
Amazon Simple Storage Service (S3) – Updates completed, no customer actions required.
Amazon Simple Notification Service (SNS) – Continuing to deploy updates.
Amazon Simple Queue Service (SQS) – Continuing to deploy updates.
The following services have been fully updated for CVE-2014-0224 and will require steps from our customers to complete the update processes.
Amazon Linux AMI – An updated version of OpenSSL has been made available in our package repository. The updated package is openssl-1.0.1g-1.70.amzn1. Run “sudo yum update openssl” to update your Amazon Linux AMI Instance. Once the new package is installed, it is required that you either manually restart all services that are using openssl, or that you reboot your instance.
AWS Elastic Beanstalk – Updates completed. Please see the Elastic Beanstalk forum announcement (https://forums.aws.amazon.com/ann.jspa?annID=2509) for specific steps to finalize the update process.
Amazon Elastic MapReduce (EMR) – Updates completed. Customers using AMI 3.0 or later who wish to install the patch should run “sudo yum update openssl” on their cluster and restart any dependent services. Clusters launched after 06/05/2014 6:00 PDT will get the update automatically.
Amazon Relational Database Service (RDS) PostgreSQL Database Instances – We have completed the update to Amazon RDS for PostgreSQL database instances. The update will take effect after a reboot, which is scheduled to occur during customers’ next database instance maintenance windows. Please note that the reboot operation typically takes less than two minutes to complete and the database instance will be unavailable during that time.
To have the update take effect immediately, please execute the reboot operation for your PostgreSQL database instances from the AWS Management Console. https://console.aws.amazon.com/rds
All new Amazon RDS for PostgreSQL databases deployed after 9:45 pm PDT on June 5, 2014 already have the update applied. Amazon RDS for MySQL, Oracle, and SQL Server instances have not been affected by this issue.
Amazon RedShift – We have completed the update to Amazon Redshift data warehouse clusters. The update will take effect after a reboot, which is scheduled to occur during customers’ next cluster maintenance windows. Please note that the reboot operation typically takes less than two minutes to complete and the cluster will be unavailable during that time.
To have the update take effect immediately, customers can adjust their maintenance window settings from the AWS Management Console. https://console.aws.amazon.com/redshift
All new Amazon Redshift clusters deployed after 4:23 pm PDT on June 5, 2014 already have the update applied.
All other services are not impacted.
Update:
2014/06/06 9:30 AM PDT
Here’s a status update for our services:
Amazon CloudFront – Continuing to deploy updates.
AWS CloudHSM – Continuing to deploy updates.
Amazon Elastic Load Balancing (ELB) – Continuing to deploy updates. Updates to load balancers that terminate HTTPS/SSL have been completed.
Amazon Relational Database Service (RDS) PostgreSQL Database Instances – We have completed the update to Amazon RDS for PostgreSQL database instances. The update will take effect after a reboot, which is scheduled to occur during customers’ next database instance maintenance windows. Please note that the reboot operation typically takes less than two minutes to complete and the database instance will be unavailable during that time.
To have the update take effect immediately, please execute the reboot operation for your PostgreSQL database instances from the AWS Management Console. https://console.aws.amazon.com/rds
All new Amazon RDS for PostgreSQL databases deployed after 9:45 pm PDT on June 5, 2014 already have the update applied. Amazon RDS for MySQL, Oracle, and SQL Server instances have not been affected by this issue.
Amazon Simple Storage Service (S3) – Continuing to deploy updates.
Amazon Simple Notification Service (SNS) – Continuing to deploy updates.
Amazon Simple Queue Service (SQS) – Continuing to deploy updates.
The following services have been fully updated for CVE-2014-0224 and will require steps from our customers to complete the update processes.
Amazon Linux AMI – An updated version of OpenSSL has been made available in our package repository. The updated package is openssl-1.0.1g-1.70.amzn1. Run “sudo yum update openssl” to update your Amazon Linux AMI Instance. Once the new package is installed, it is required that you either manually restart all services that are using openssl, or that you reboot your instance.
AWS Elastic Beanstalk – Updates completed. Please see the Elastic Beanstalk forum announcement (https://forums.aws.amazon.com/ann.jspa?annID=2509) for specific steps to finalize the update process.
Amazon Elastic MapReduce (EMR) – Updates completed. Customers using AMI 3.0 or later who wish to install the patch should run “sudo yum update openssl” on their cluster and restart any dependent services. Clusters launched after 06/05/2014 6:00 PDT will get the update automatically.
Amazon RedShift – We have completed the update to Amazon Redshift data warehouse clusters. The update will take effect after a reboot, which is scheduled to occur during customers’ next cluster maintenance windows. Please note that the reboot operation typically takes less than two minutes to complete and the cluster will be unavailable during that time.
To have the update take effect immediately, customers can adjust their maintenance window settings from the AWS Management Console. https://console.aws.amazon.com/redshift
All new Amazon Redshift clusters deployed after 4:23 pm PDT on June 5, 2014 already have the update applied.
All other services are not impacted.
Update:
2014/06/05 8:00 PM PDT
We can now provide the following updates on our services:
AWS Elastic Beanstalk – Updates completed. Please see the Elastic Beanstalk forum announcement (https://forums.aws.amazon.com/ann.jspa?annID=2509) for specific steps to finalize the update process.
Amazon Elastic MapReduce (EMR) – Updates completed. Customers using AMI 3.0 or later who wish to install the patch should run “sudo yum update openssl” on their cluster and restart any dependent services. Clusters launched after 06/05/2014 6:00 PDT will get the update automatically.
Amazon RedShift – We have completed the update to Amazon Redshift data warehouse clusters. The update will take effect after a reboot, which is scheduled to occur during customers’ next cluster maintenance windows. Please note that the reboot operation typically takes less than two minutes to complete and the cluster will be unavailable during that time.
To have the update take effect immediately, customers can adjust their maintenance window settings from the AWS Management Console. https://console.aws.amazon.com/redshift
All new Amazon Redshift clusters deployed after 4:23 pm PDT on June 5, 2014 already have the update applied.
Amazon Simple Notification Service (SNS) – Currently deployed in SA-East-1. Continuing to deploy updates.
Amazon CloudFront, AWS CloudHSM, Amazon Elastic Load Balancing (ELB), Amazon Relational Database Service (RDS) PostgreSQL Database Instances, Amazon Simple Storage Service (S3), and Amazon Simple Notification Service (SNS) are continuing to deploy updates. We will provide updates within this bulletin as they are available.
All other services are not impacted.
Update:
2014/06/05 1:00 PM PDT
Upon further analysis of the OpenSSL advisory, only CVE-2014-0224 could impact AWS services. The nature of this CVE requires several unusual preconditions to be met and therefore the relative impact of this particular OpenSSL issue is low. We can confirm that patching is either completed or currently underway for the following services:
Amazon Linux AMI – An updated version of OpenSSL has been made available in our package repository. The updated package is openssl-1.0.1g-1.70.amzn1. Run “sudo yum update openssl” to update your Amazon Linux AMI Instance. Once the new package is installed, it is required that you either manually restart all services that are using openssl, or that you reboot your instance.
AWS Elastic Beanstalk – Updates completed. The next update will include specific steps customers should take to finalize the update process.
Amazon CloudFront – Continuing to deploy updates.
AWS CloudHSM – Continuing to deploy updates.
Amazon Elastic Load Balancing (ELB) – We are continuing to deploy updates to Elastic Load Balancing. We are prioritizing load balancers that terminate HTTPS/SSL connections. We anticipate completing these updates in the next several hours.
Amazon Elastic MapReduce (EMR) – Updates completed. The next update will include specific steps customers should take to finalize the update process.
Amazon RedShift – We are applying an update for customers’ Amazon Redshift clusters. The update will take effect during customers’ next maintenance window and will require a database restart during which customers will experience a few minutes of downtime. After the fix has taken effect, the cluster version will be 1.0.793.
After the update has been provided, to have the update take effect immediately, customers can adjust their maintenance window settings from the AWS Management Console. https://console.aws.amazon.com/redshift
All new clusters deployed after the update is provided will already have the update applied.
Amazon Relational Database Service (RDS) PostgreSQL Database Instances – We are applying an update to RDS for PostgreSQL instances to address this advisory. Amazon RDS for MySQL, Oracle, and SQL Server instances have not been affected by this issue.
Amazon Simple Storage Service (S3) – Continuing to deploy updates.
Amazon Simple Email Service (SES) – Not impacted
Amazon Simple Notification Service (SNS) – Continuing to deploy updates.
Amazon Workspaces – Not impacted
We will continue to provide updates on our services as they are patched in updates to this security bulletin.
2014/06/05 5:17 AM PDT
We are aware of the OpenSSL advisory posted at https://www.openssl.org/news/secadv_20140605.txt. Many of the items listed within the advisory are for OpenSSL features that we do not utilize, and therefore we anticipate minimal to no impact for our customers. We will update this bulletin with more details when we receive them.