Amazon Web Services Initiates Massive Reboot Of EC2 Instances To Deploy Security Fix

Amazon Web Services has initiated a massive reboot of EC2 instances in response to a security flaw that the company has yet to identify. AWS has notified customers to expect reboots to instances spanning multiple availability zones and regions. Many sources speculate that the reboot involves a security vulnerability in the open source Xen-108 hypervisor, the security patch for which is currently available via pre-release, embargoed code. Depending on the time zone of the targeted instance, the reboot starts on September 25 or 26 and ends on September 30. Amazon has confirmed that details of a security flaw specific to the Xen hypervisor will be officially released on October 1, but that “following security best practices, the details of this update are embargoed until then.” According to a RightScale blog post, T1, T2, M2, R3, and HS1 instances will not be affected and less than 10% of all EC2 instances will be impacted by the reboot and concomitant security patch. Notably, customers that independently reboot their EC2 instance will not necessarily experience the installation of the requisite security patch on their host machine. The reboot represents one of Amazon’s largest reboots in recent years and has the potential to affect application uptime, although the reboots will be staggered across different availability zones to minimize service disruptions.