Ubuntu
resource-agents package

[SRU] Backport AWS agent with IMDSv2 support

  1. Bionic (18.04)
  2. Bug #1915203
Bug #1915203 reported by Lucas Kanashiro
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
resource-agents (Ubuntu)
Fix Released
Undecided
Lucas Kanashiro
Bionic
In Progress
Undecided
Lucas Kanashiro
Focal
In Progress
Undecided
Lucas Kanashiro
Groovy
Won't Fix
Undecided
Lucas Kanashiro

Bug Description

[Impact]

This update is considered as a hardware enablement feature which will allow AWS users to make use of the IMDSv2 support recently added to resource-agents. This is an important security related feature recently introduced by AWS.

[Test Case]

TBD

[Where problems could occur]

All the patches needed change only the AWS agents, so if a problem could occur it would affect only them.

[Original Description]

Last year, AWS released "IMDSv2" in an effort to protect customers against some potentially severe information leaks
related to accidentally proxying this local data to the network. Details
at https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/

IMDSv2 makes use of a session-based protocol, requiring clients to first retrieve a time-limited session token, and then to include that token with subsequent requests.

Because the intended purpose of IMDSv2 is to provide an additional layer of defense against network abuses, customers utilizing it may choose to disable IMDSv1. Disabling IMDSv2 today causes fence_aws to fail.

See original description

Related branches

~lucaskanashiro/ubuntu/+source/resource-agents:backport_aws_imdsv2_bionic
Christian Ehrhardt  (community): Approve
Canonical Server: Pending requested
Diff: 89 lines (+67/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/lp1915203-Backport-upstream-patch-to-add-support-for-IMDSv2-in.patch (+59/-0)
debian/patches/series (+1/-0)
~lucaskanashiro/ubuntu/+source/resource-agents:backport_aws_imdsv2_focal
Christian Ehrhardt  (community): Needs Fixing
Canonical Server: Pending requested
Diff: 139 lines (+117/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/lp1915203-Backport-upstream-patch-to-add-support-for-IMDSv2-in.patch (+109/-0)
debian/patches/series (+1/-0)
~lucaskanashiro/ubuntu/+source/resource-agents:backport_aws_imdsv2_groovy
Christian Ehrhardt  (community): Approve
Canonical Server: Pending requested
Diff: 129 lines (+107/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu/lp1915203-AWS-agents-add-support-for-IMDSv2.patch (+99/-0)
Lucas Kanashiro (lucaskanashiro)
Changed in resource-agents (Ubuntu):
status: New → Fix Released
assignee: nobody → Lucas Kanashiro (lucaskanashiro)
Changed in resource-agents (Ubuntu Bionic):
assignee: nobody → Lucas Kanashiro (lucaskanashiro)
Changed in resource-agents (Ubuntu Focal):
assignee: nobody → Lucas Kanashiro (lucaskanashiro)
Changed in resource-agents (Ubuntu Groovy):
assignee: nobody → Lucas Kanashiro (lucaskanashiro)
Changed in resource-agents (Ubuntu Bionic):
status: New → In Progress
Changed in resource-agents (Ubuntu Focal):
status: New → In Progress
Changed in resource-agents (Ubuntu Groovy):
status: New → In Progress
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

PPA with proposed packages:

https://launchpad.net/~lucaskanashiro/+archive/ubuntu/ha-stack-aws

description: updated
summary: - Backport AWS agent with IMDSv2 support
+ [SRU] Backport AWS agent with IMDSv2 support
Revision history for this message
Brian Murray (brian-murray) wrote :

The Groovy Gorilla has reached end of life, so this bug will not be fixed for that release

Changed in resource-agents (Ubuntu Groovy):
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.