Hi Lee,
You should have received an email from AWS. Yes you definitely need to take action. Here it is in case you missed it:
Dear Amazon EC2 Customer,
The OpenSSL project has recently announced a security vulnerability in OpenSSL affecting versions 1.0.1 and 1.0.2 (CVE-2014-0160). Customers that are running Linux and are using SSL could be affected by this issue and should upgrade to a fixed version as soon as possible.
If you’re using the Amazon Linux AMI, you can simply run “sudo yum update openssl”, and then restart any services using OpenSSL to protect any at-risk instances.
Find more details and update instructions from the websites of your Linux vendor of choice:
* Amazon Linux AMI: https://aws.amazon.com/amazon-linux-ami/security-bulletins/ALAS-2014-320/
* Red Hat: https://rhn.redhat.com/errata/RHSA-2014-0376.html
* Ubuntu: http://www.ubuntu.com/usn/usn-2165-1/
Please note that several of the prominent Linux operating systems have released fixed packages that still bear the OpenSSL 1.0.1e name. Even though the OpenSSL project released 1.0.1g as their newest software, downstream Linux providers have in some cases elected to include just the fix for CVE-2014-0160 in their packages in order to provide a small update quickly. Updates to 1.0.1g are likely to come later.
For more information about this vulnerability, please visit
* AWS Security Bulletin page: https://aws.amazon.com/security/security-bulletins/
* OpenSSL’s official advisory: https://www.openssl.org/news/secadv_20140407.txt
* The Heartbleed Bug: http://heartbleed.com/
Thank you,
AWS SecurityAmazon Web Services, Inc. is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message was produced and distributed by Amazon Web Services Inc., 410 Terry Ave. North, Seattle, WA 98109-5210
Regards,
Jason