Amazon said the Amazon Web Services reboots that customers were notified about on Wednesday will affect about 10 percent of total EC2 instances.
As had been speculated, the cause is a Xen hypervisor issue that must be addressed soon, according to an AWS blog post. The updates have nothing to do with the “Bash Bug” or “shell shock” flaw that is handled in a separate security bulletin on the AWS security center.
Per AWS evangelist Jeff Barr:
These updates must be completed by Oct. 1, before the industry notice comes out on Xen update XSA-108. The issue in that notice affects many Xen environments, and is not an AWS-specific issue. Following security best practices, the details of this update are embargoed until then.
As cloud experts point out, when it comes to security fixes, best practice calls for the vendor not to disclose the issue until the patch has been applied.
And it’s true that [company]Amazon[/company] is not the only cloud provider that uses Xen. [company]Rackspace[/company] also uses that hypervisor in its public cloud, but has not issued a statement on it. I have asked Rackspace for comment and will update when that becomes available.
A Rackspace spokesperson said the company will update customers on “third party issues” via its community site. Thus far there appear to be no relevant posts.
Note: This post was updated at 3:29 p.m. PST with Rackspace comment.