Here’s something to make you sit up and take notice: Amazon Web Services has notified customers that an “urgent patch” to many EC2 hosts will start September 26 and continue through September 30.
This is according to a blog post by [company]RightScale[/company] CTO Thorsten Von Eicken and there’s more here on Hacker News and the AWS forum. RightScale helps customers monitor and manage their workloads in AWS and other clouds so it has a pretty good view into customer interactions with AWS, and vice versa.
Von Eicken wrote that [company]Amazon[/company] cloud users should know that if an instance is relaunched between now and the upgrade, they will not necessarily be connected to a patched host.
As he points out, Amazon is not very transparent about what the underlying issues, although he — and others — speculate that a security issue is the cause. It appears that T1, T2, M2, R3 and HS1 instance types are not impacted. But other instance types across all regions and availability zones are.
Per Von Eicken:
Normally, whenever our Ops team receives a maintenance notice regarding a specific set of instances, we relaunch them as soon as possible at our convenience so that by the time the maintenance windows arrives, our instances are already on hosts that have had the maintenance done. This time, due to the scale of the patching, there is not enough patched capacity available to guarantee this.
Sebastian Stadil, CEO of Scalr, a cloud management provider, confirmed that the alerts had gone out. “The urgency does indicate a security issue, and the fact that only select older instance types are affected indicates that the issue is in the hypervisor,” Stadil said via email.
“The security best practice in this case is to not disclose the vulnerability until a patch has been made (and arguably applied for large customers), so I expect AWS to disclose this later,” he added.
Stadil and others surmise that a known vulnerability in the Xen hypervisor — could be at the heart of the issue. Others speculated that AWS was doing this to address Bashbug, a flaw in the Unix bash shell, but a response on the AWS support forum said the notifications were not related that vulnerability.
He noted that it will be important to determine whether Amazon Virtual Private Clouds (VPCs) without public internet access are also vulnerable.
Check out the RightScale blog, your Amazon consoles and this story for updates.
Note: This story was updated with links to the AWS forum and additional context from Scalr.