Skip to main content

CVE-2025-8904 - Issue with Amazon EMR Secret Agent component

Posted on: Aug 13, 2025

Bulletin ID: AWS-2025-017
Scope: 
AWS
Content Type:
 Important (requires attention)
Publication Date: 2025/08/13 10:00 AM PDT

Description:

Amazon EMR is a managed cluster platform that simplifies running big data frameworks on AWS to process and analyze vast amounts of data.

We identified CVE-2025-8904, an issue in the Amazon EMR Secret Agent component. The Secret Agent component securely stores secrets and distributes secrets to other Amazon EMR components and applications. When using Amazon EMR clusters with one or more Lake Formation, Apache Ranger, runtime role, or Identity Center feature that uses this component, Secret Agent creates a keytab file containing Kerberos credentials. This file is stored in the /tmp/ directory. A user with access to this directory and another account can potentially decrypt the keys and escalate to higher privileges.

We implemented a fix that removes /tmp/ as a staging directory for Kerberos credentials, eliminating the possibility of users accessing the keytab file. The fix is available in Amazon EMR release 7.5 and higher.

Affected versions:

Amazon EMR version 6.10 through 7.4

Resolution:

This issue has been addressed in Amazon EMR version 7.5 and higher. We recommend upgrading to the latest version to incorporate the new fixes.

For customers on Amazon EMR releases version 6.10 through 7.4, we strongly recommend running the bootstrap script and RPM files with the fix provided in the location.

References:

Please email aws-security@amazon.com with any security questions or concerns.