ALAS-2017-866


Amazon Linux AMI Security Advisory: ALAS-2017-866
Advisory Release Date: 2017-08-04 03:30 Pacific
Severity: Important
References: CVE-Pending 

Issue Overview:

A vulnerability was reported in the CloudFormation bootstrap tools, different from the one in CVE-2017-9450 , where default behavior in the handling of cfn-init metadata can provide escalated privileges to an attacker with local access to the system


Affected Packages:

aws-cfn-bootstrap


Issue Correction:
  1. Run yum update aws-cfn-bootstrap to update your system.
  2. Update the AWS::CloudFormation::Init metadata section of your template, specifically the entries listed under the files key, to explicitly specify the mode field as documented at http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-init.html . We recommend setting the mode to explicitly disable permissions for non-owners. Alternatively, you can also choose to explicitly change the mode of the files listed in your template, by directly logging on to the instance.
  3. Restart the cfn-hup process: service cfn-hup restart

New Packages:
noarch:
    aws-cfn-bootstrap-1.4-20.12.amzn1.noarch

src:
    aws-cfn-bootstrap-1.4-20.12.amzn1.src