Hacker News new | past | comments | ask | show | jobs | submit login
[dupe] AWS accelerates instance reboots in anticipation of research findings
32 points by tomchuk on Jan 3, 2018 | hide | past | web | favorite | 14 comments
I had some instances that I hadn't manually restarted, scheduled for reboot on Friday and Saturday. Just received this email:

We previously advised you of important security and operational updates which will require a reboot of one or more of your Amazon EC2 instances in the US-EAST-1 region. Unfortunately, we must accelerate the planned reboot times for these instances given anticipated publication of new research findings.

The new maintenance window has been scheduled between January 4, 2018 at 8:00 AM UTC (12:00AM PST) and January 4, 2018 at 2:00 PM UTC (6:00AM PST) during which the EC2 service will automatically perform the required reboot. During the maintenance window, the affected instance will be unavailable for a short period of time as it reboots. We will be performing this maintenance in a single Availability Zone of each Region at a time. For more information on EC2 maintenance, please see our documentation here: https://aws.amazon.com/maintenance-help/ .

To avoid your scheduled reboot, you are able to reboot this instance any time prior to the maintenance window. More details on rebooting your instances yourself can be found here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-reboot.html

To see which of your instances are impacted, please visit the 'Events' page on the EC2 console to view your instances that are scheduled for maintenance:

https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#Events

Sincerely, Amazon Web Services





Can't this be disabled somehow for internal servers only ? Say disabling it on db servers but keep it on api/web servers.


They're doing this so you (or other shared tenants) can't read your VMs or the host's memory (and vice versa).


What about on dedicated servers ? Is there a config that can be done ?


No, and that's not the way the bug works.


They're rebooting to patch the host, not your VM.


This is necessary because AWS does not support hot-migration of clients. To reboot the host, instead of pushing clients off to other hosts, they have to reboot all clients with the host.


I don't think this is a dupe. This notice of reboots is not publicized at all in the other post.


any ideas what those findings are?


https://googleprojectzero.blogspot.com/2018/01/reading-privi...

We have discovered that CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts.

Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, we have exploits that work against real software. We reported this issue to Intel, AMD and ARM on 2017-06-01 [1].

So far, there are three known variants of the issue:

    Variant 1: bounds check bypass (CVE-2017-5753)
    Variant 2: branch target injection (CVE-2017-5715)
    Variant 3: rogue data cache load (CVE-2017-5754)


aka "LOL zero day exploit needs to be patched ASAP thx"


It's not a zero-day exploit.


There's no way of knowing if this was exploited in the wild before it was discovered and mitigated. If it was, then it was a zero-day exploit.


By this logic, all exploits for publicly released software, patched or unpatched, could be zero-day exploits. That would make the term rather meaningless, IMHO.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: