AWS injected bad code into customer run Java apps

AWS decided it was a good idea to push out a &quot;security&quot; patch late on a Friday (Dec 17) without advance warning that monkey patched running customer owned Java code.<p>The patch is auto applied on Amazon Linux AMIs at boot time since it&#x27;s marked as a critical update causing Java web apps to fail. This caused all our auto scaling processes to fail. Note that the code is injected even in customer re-bundled AMIs of Amazon Linux because it attaches itself as a hard dependency of the JDK and gets applied as a JDK upgrade if you opted into &quot;critical&quot; OS security updates.<p>In their recklessness to rush out this change thinking they know all the ways Java apps have been built over the last 30 years they&#x27;ve likely caused users to now opt out of their automatic security updates (<a href="https:&#x2F;&#x2F;aws.amazon.com&#x2F;amazon-linux-ami&#x2F;faqs&#x2F;#:~:text=Q%3A%20How%20do%20I%20disable%20the%20automatic%20installation%20of%20critical%20and%20important%20security%20updates%20on%20initial%20launch%3Fami&#x2F;faqs&#x2F;#:~:text=Q%3A%20How%20do%20I%20disable%20the%20automatic%20installation%20of%20critical%20and%20important%20security%20updates%20on%20initial%20launch%3F" rel="nofollow">https:&#x2F;&#x2F;aws.amazon.com&#x2F;amazon-linux-ami&#x2F;faqs&#x2F;#:~:text=Q%3A%2...</a>).<p>Their first and only announcement of this kind was done via <a href="https:&#x2F;&#x2F;alas.aws.amazon.com&#x2F;announcements&#x2F;2021-001.html" rel="nofollow">https:&#x2F;&#x2F;alas.aws.amazon.com&#x2F;announcements&#x2F;2021-001.html</a> (no email or anything) and fails to mention the critical fact that it gets applied to previously baked AMIs.<p>AWS has long left the customer to manage their own environment within AWS and this approach to security patching in a non standard way (monkey patching user written code) is a betrayal of that trust and policy.

It&#x27;s infuriating that they pushed out this breaking change late on a Friday, screwing over their customers and all our enterprise account managers are now conveniently out on their holiday break.<p>5 days later and they are still &quot;investigating&quot; instead of rolling back the change.<p>Lesson: Don&#x27;t use Amazon Linux. Pick an OS with mature stewardship like Ubuntu&#x2F;Debian&#x2F;RedHat