この日はAWSセキュリティ速報が2件公開されました。1件目はAmazon WorkSpaces Linux版クライアント(2023.0〜2024.8)における認証トークンの不適切な取り扱い(CVE-2025-12779)で、同一クライアント上の他ローカルユーザーがDCVベースのWorkSpaces向けトークンを取得し、別ユーザーのWorkSpaceにアクセスできる可能性が指摘されました。2件目はオープンソースのコンテナ管理基盤runcに影響する3件の脆弱性(CVE-2025-31133、CVE-2025-52565、CVE-2025-52881)への注意喚起で、AWSはコンテナをセキュリティ境界とみなしておらず顧客間のリスクはないとしつつ、Amazon LinuxやECS、EKS、Bottlerocketなど一部サービスが影響対象として挙げられています。いずれも重要度「Important」の扱いです。
Amazon WorkSpaces Linuxクライアントの認証トークン露出 (CVE-2025-12779)
runcコンテナランタイムの脆弱性3件 (CVE-2025-31133/52565/52881) とAWSサービスへの影響
Bulletin ID: AWS-2025-025
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 2025/11/5 13:20 PM PDT
Description:
We identified CVE-2025-12779, which describes an issue in the Amazon WorkSpaces client for Linux . Improper handling of the authentication token in the Amazon WorkSpaces client for Linux, versions 2023.0 through 2024.8, may expose the authentication token for DCV-based WorkSpaces to other local users on the same client machine. Under certain circumstances, an unintended user may be able to extract a valid authentication token from the client machine and access another user’s WorkSpace. We have proactively communicated with customers regarding the end of support for the impacted client versions.
Impacted versions: Amazon WorkSpaces client for Linux versions 2023.0 through 2024.8
Bulletin ID: AWS-2025-024
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 2025/11/5 8:45 PM PDT
CVE Identifiers: CVE-2025-31133, CVE-2025-52565, CVE-2025-52881
AWS is aware of recently disclosed security issues affecting the runc component of several open source container management systems (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) when launching new containers. AWS does not consider containers a security boundary, and does not utilize containers to isolate customers from each other. There is no cross-customer risk from these issues. AWS customers that utilize containers to isolate workloads within their own self-managed environments are strongly encouraged to contact their operating system vendor for any updates or instructions necessary to mitigate any potential concerns arising from these issues.
With the exception of the AWS services listed below, no customer action is required to address this issue. As a best practice, AWS always recommends that you apply all security patches and software version updates.
Affected services:
Amazon Linux
Bottlerocket
Amazon Elastic Container Service (ECS)
Amazon Elastic Kubernetes Service (EKS)
AWS Elastic Beanstalk
Finch
AWS Deep Learning AMI
AWS Batch
Amazon SageMaker