Blog Tags: 

AWS Marketplace: False Positive Security Warning

It was recently brought to our attention that AWS Marketplace sent out a security warning direct to many of our AWS users. This occurred without any prior consultation with us, or verification that there was indeed an issue to warn about.

Let us make this perfectly clear: This is a FALSE POSITIVE. NO ACTION IS REQUIRED. You do not need to reset the debian-sys-maint password. All secrets are randomly generated on first boot, including the debian-sys-maint password.

Whilst it was completely out of our control, we deeply apologize for the confusion and panic this has caused.

We take security extremely seriously, and we appreciate that AWS does too. In this case, due to the sheer volume of images in the marketplace, they decided to err on the side of caution and send out notifications to all “affected” image subscribers, not just TurnKey users, which we appreciate. That said, we would have appreciated it a lot more if they had verified the issue and/or reach out to us first, but that is a discussion for another day...

To accommodate the updated AWS security scanner, we have removed the configuration file in question, which is now recreated entirely on firstboot. This has the side effect of slowing down the firstboot initialization process slightly, unfortunately.

If you any questions or concerns, please feel free to post a comment below, open a new thread on the forums or contact us via the support email.

For full context, here is the AWS email in full:

> Dear AWS Marketplace Subscriber,
> We are writing to notify you that a scan of our catalog identified the presence of a
> default password in the following product you have subscribed to:
> LAMP Stack - Web Stack (MySQL) powered by TurnKey GNU/Linux
> The default password for the MySQL user "debian-sys-maint" can be found in the
> following location:
> /etc/mysql/debian.cnf
> If you are still running this software, we highly recommend you reset this password. >
> If you have additional questions about your software please contact TurnKey
> GNU/Linux directly at:
> Thank you,
> --The AWS Marketplace Team
You can get future posts delivered by email or good old-fashioned RSS.
TurnKey also has a presence on Google+, Twitter and Facebook.

Post new comment