Amazon Linux 1 Security Advisory: ALAS-2016-763
Advisory Release Date: 2016-11-10 18:00 Pacific
Advisory Updated Date: 2016-11-10 18:00 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
It was discovered that cloud-init in the Amazon Linux AMI wrote IAM role credentials from the instance metadata service to files readable by the root user in /var/lib/cloud. An application with root privileges, a container with access to the relevant files, or a root user of an AMI derived from a previously launched AMI could read and use the credentials. (IAM role credentials expire after 6 hours.)
Affected Packages:
cloud-init
Issue Correction:
Run yum update cloud-init to update your system. To delete the files which contain credentials, run rm /var/lib/cloud/instance/obj.pkl /var/lib/cloud/instances/*/obj.pkl.
noarch:
cloud-init-0.7.6-2.13.amzn1.noarch
src:
cloud-init-0.7.6-2.13.amzn1.src