Read our latest security bulletins here.
  1. Reported Apache Log4j Hotpatch Issues

    Initial Publication Date: 2022/04/19 14:30 PST
    CVE IDs: CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, CVE-2022-0071

    On December 12, 2021, Amazon publicly released a hotpatch for running Java VMs which disables the loading of the Java Naming and Directory Interface (JNDI) class. This hotpatch provides an immediate mitigation for critical issues within the open-source Apache “Log4j2" utility (CVE-2021-44228 and CVE-2021-45046) while allowing system administrators sufficient time to fully patch impacted environments. Security researchers recently reported issues within this hotpatch, and the associated OCI hooks for Bottlerocket (“Hotdog”). We have addressed these issues within a new version of the hotpatch, and a new version of Hotdog. We recommend that customers who run Java applications in containers, and use either the hotpatch or Hotdog, update to the latest versions of the software immediately. The latest package names and versions of the hotpatch for Amazon Linux and Amazon Linux 2 are as follows:

    • Amazon Linux: log4j-cve-2021-44228-hotpatch-1.1-16.amzn1
    • Amazon Linux 2: log4j-cve-2021-44228-hotpatch-1.1-16.amzn2

    Customers using the hotpatch for Apache Log4j on Amazon Linux can update to the latest hotpatch version by running the following command: sudo yum update. The hotpatch expects an environment containing the latest Linux kernel updates, and customers should not skip any available kernel updates when updating the version of the hotpatch in use. More information is available within the Amazon Linux Security Center: https://alas.aws.amazon.com

    Customers using Bottlerocket with the hotpatch for Apache Log4j feature enabled should update to the latest release of Bottlerocket, which includes the most recent version of Hotdog.

    We would like to thank Palo Alto Networks for reporting these issues.

    Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.

  2. Reported AWS Desktop VPN Client for Windows Issue

    Initial Publication Date: 2022/04/12 15:30 PST

    AWS is aware of the issues described in CVE-2022-25165 and CVE-2022-25166 relating to the AWS-provided Desktop VPN Client for Windows. These issues affect only client versions 2.0.0 and below; they have been addressed in version 3.0.0 and above. Note that these issues require existing code execution privileges and file access on the system running Desktop VPN Client for Windows. We recommend that customers upgrade to the latest version immediately to help ensure defense in depth.

    The latest version of the AWS Client VPN software is available for download at https://aws.amazon.com/vpn/client-vpn-download.

    We would like to thank Rhino Security Labs for reporting these issues.

    Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.

  3. Reported Amazon RDS PostgreSQL issue

    Initial Publication Date: 2022/04/11 16:45 PST
    Last Updated Date: 2022/04/12 13:00 PST

    A security researcher recently reported an issue with Aurora PostgreSQL. Using this issue, they were able to gain access to internal credentials that were specific to their Aurora cluster. No cross-customer or cross-cluster access was possible; however, highly privileged local database users who could exercise this issue could potentially have gained additional access to data hosted in their cluster or read files within the operating system of the underlying host running their database.

    This issue was associated with a third-party open-source PostgreSQL extension, “log_fdw”, which is pre-installed in both Amazon Aurora PostgreSQL and Amazon RDS for PostgreSQL. The issue permitted the researcher to examine the contents of local system files of the database instance within their account, including a file which contained credentials specific to Aurora. Privileged, authenticated database users with sufficient permissions to trigger this issue could use these credentials to gain elevated access to their own database resources from which the credentials were retrieved. They would not be able to use the credentials to access internal RDS services or move between databases or AWS accounts. The credentials could only be used to access resources associated with the Aurora database cluster from which the credentials were retrieved.

    AWS moved immediately to address this issue when it was reported. As part of our mitigation, we have updated Amazon Aurora PostgreSQL and Amazon RDS for PostgreSQL to prevent this issue. We have also deprecated the Amazon Aurora PostgreSQL and Amazon RDS for PostgreSQL minor versions listed below. As such, customers can no longer create new instances with these versions.

    The following Amazon Aurora PostgreSQL and Amazon RDS for PostgreSQL minor versions have been deprecated:

    Amazon Aurora PostgreSQL-compatible edition versions:

    • 10.11, 10.12, 10.13
    • 11.6, 11.7, 11.8

    Amazon RDS for PostgreSQL versions:

    • 13.2, 13.1
    • 12.6, 12.5, 12.4, 12.3, 12.2
    • 11.11, 11.10, 11.9, 11.8, 11.7, 11.6, 11.5, 11.5, 11.4, 11.3, 11.2, 11.1
    • 10.16, 10.15, 10.14, 10.13, 10.12, 10.11, 10.10, 10.9, 10.7, 10.6, 10.5, 10.4, 10.3, 10.1
    • 9.6.21, 9.6.20, 9.6.19, 9.6.18, 9.6.17, 9.6.16, 9.6.15, 9.6.14, 9.6.12, 9.6.11, 9.6.10, 9.6.9, 9.6.8, 9.6.6, 9.6.5, 9.6.3, 9.6.2, 9.6.1
    • 9.5, 9.4 and 9.3

    For detailed release notes about minor versions, including existing supported versions, visit
    Aurora PostgreSQL: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Updates.20180305.html
    RDS PostgreSQL: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html

    We would like to thank Lightspin for reporting this issue.

    Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.

  4. CVE-2022-0778 awareness

    Initial Publication Date: 2022/03/17 20:42 PST

    AWS is aware of an issue present in OpenSSL versions 1.0.2, 1.1.1, and 3.0 in which a certificate containing invalid explicit curve parameters can cause denial of service (DoS) by triggering an infinite logic loop. This issue was eliminated in the releases of OpenSSL 1.0.2zd, 1.1.1n, and 3.0.2. AWS is aware of this issue and is actively investigating for impact to AWS services.

  5. Reported AWS CloudFormation Issue

    Initial Publication Date: 2022/01/13 13:00 PST

    Security researchers recently identified and reported an issue in AWS CloudFormation. Specifically, the reported issue was in the AWS CloudFormation service itself, which allowed viewing of some local configuration files on an AWS-internal host or attempted unauthenticated HTTP GET requests from the same host. The researchers utilized the HTTP GET capability to obtain a set of locally accessible credentials specific to the host. Neither the local configuration file access nor the host-specific credentials permitted access to any customer data or resources.

    AWS took immediate action to correct this issue when it was reported and verified that the technique described by the researchers could not be used to access customer data or resources. Extensive log analysis has verified the researchers activity was limited to the specific AWS CloudFormation host. AWS customers were not impacted by this reported concern, and there are no customer actions required.

    We would like to thank Orca Security for reporting this issue.

    Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.