AWS linux documentation change
Summary
Clarified that kernel live patches for security updates are provided on a best-effort basis and not all important/critical CVEs may be available, and updated recommendation text.
Security assessment
The change updates documentation to set expectations about live patch coverage for security vulnerabilities, which is important for security posture management. It removes specific CVSS score mapping and emphasizes checking security advisories. This does not fix a security issue but clarifies security update limitations.
Diff
diff --git a/linux/al2023/ug/live-patching.md b/linux/al2023/ug/live-patching.md index 2981d7ed2..2f329d846 100644 --- a//linux/al2023/ug/live-patching.md +++ b//linux/al2023/ug/live-patching.md @@ -15 +15 @@ AWS releases two types of kernel live patches for AL2023: - * **Security updates** – Include updates for Linux common vulnerabilities and exposures (CVE). These updates are typically rated as _important_ or _critical_ using the Amazon Linux Security Advisory ratings. They generally map to a Common Vulnerability Scoring System (CVSS) score of 7 and higher. In some cases, AWS might provide updates before a CVE is assigned. In these cases, the patches might appear as bug fixes. + * **Security updates** – Include updates for Linux common vulnerabilities and exposures (CVE). These updates are typically rated as _important_ or _critical_ using the Amazon Linux Security Advisory ratings. In some cases, AWS might provide updates before a CVE is assigned. In these cases, the patches might appear as bug fixes. Kernel live patches for security updates are provided on a _best-effort basis_ \-- not all important or critical CVEs may be available as live patches for a given kernel version. To determine whether a specific CVE has been addressed by a live patch, check [ Amazon Linux Security Advisories ](https://alas.aws.amazon.com/alas2023.html). @@ -166 +166 @@ You apply kernel live patches using the **DNF** package manager in the same way -We recommend that you update your kernel regularly using Kernel Live Patching to ensure that it receives specific important and critical security fixes until the system can be rebooted. Please also check if additional fixes have been made available to the native kernel package that cannot be deployed as live patches and [update and reboot](https://docs.aws.amazon.com/linux/al2023/ug/updating.html) into the kernel update for those cases. +We recommend that you update your kernel regularly using Kernel Live Patching to ensure that it receives specific security fixes until the system can be rebooted. Please also check if additional fixes have been made available to the native kernel package that cannot be deployed as live patches and [update and reboot](https://docs.aws.amazon.com/linux/al2023/ug/updating.html) into the kernel update for those cases.