Rapid7 Vulnerability & Exploit Database

Amazon Linux AMI: Security patch for openssh (ALAS-2014-319)

Back to Search

Amazon Linux AMI: Security patch for openssh (ALAS-2014-319)



Due to a problem with the configuration of kernels 3.10.34-37 and 3.10.34-38 and their interaction with the authentication modules stack, the sshd daemon which is part of the openssh package will no longer allow remote logins following a restart of the sshd service.

There are two permanant fixes for this issue, and we urge you to apply both.

(1) Update to openssh-server-6.2p2-7.40.(2) Update to kernel-3.10.34-39 and reboot your instance.

To apply these fixes, run yum update openssh kernel and reboot your instance.

The new openssh package includes workarounds for the misconfigured kernels and the new kernel package addresses the miscofiguration issue from earlier builds.

If you are unable to log in to your instance due to this issue, you can recover your instances via the RebootInstances API call (ec2-reboot-instances i-XXXXXXXX or aws ec2 reboot-instances --instance-ids i-XXXXXXXX) but the permanent fix will still be needed.

Any Amazon Linux AMI on which the running kernel is either 3.10.34-37 or 3.10.34-38 is impacted by this issue.


  • amazon-linux-upgrade-openssh
  • amazon-linux-upgrade-openssh-clients
  • amazon-linux-upgrade-openssh-debuginfo
  • amazon-linux-upgrade-openssh-keycat
  • amazon-linux-upgrade-openssh-ldap
  • amazon-linux-upgrade-openssh-server
  • amazon-linux-upgrade-pam_ssh_agent_auth

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center