AWS is warning customers over a “recent CVE” affecting the “Fargate platform software” (a serverless compute engine for containers).
Unnerving some, AWS did not disclose what the CVE was, nor share an associated security bulletin in its emailed warning, despite saying it will automatically terminate customers’ affected tasks by January 19.
"After Fri, 18 Jan 2024 01:08:21 GMT the affected tasks will be automatically terminated to mitigate the impact of the CVE... when the task is terminated, current IP addresses in use by the task are released.
"All the data stored locally by the task is lost and cannot be recovered" AWS warned in its customer email, noting that customers could consider running tasks as part of an ECS services in which "retired tasks are replaced by newly spawned tasks, without further action on your part."
The security note (it’s arguably not hugely critical – more on that and the CVEs themselves below) was the latest reminder however that cloud and container security remain a work-in-progress on the transparency front.