ALAS-2016-763


Amazon Linux AMI Security Advisory: ALAS-2016-763
Advisory Release Date: 2016-11-10 18:00 Pacific
Severity: Important
References:

Issue Overview:

It was discovered that cloud-init in the Amazon Linux AMI wrote IAM role credentials from the instance metadata service to files readable by the root user in /var/lib/cloud. An application with root privileges, a container with access to the relevant files, or a root user of an AMI derived from a previously launched AMI could read and use the credentials. (IAM role credentials expire after 6 hours.)


Affected Packages:

cloud-init


Issue Correction:
Run yum update cloud-init to update your system. To delete the files which contain credentials, run rm /var/lib/cloud/instance/obj.pkl /var/lib/cloud/instances/*/obj.pkl.

New Packages:
noarch:
    cloud-init-0.7.6-2.13.amzn1.noarch

src:
    cloud-init-0.7.6-2.13.amzn1.src