CVE-2025-8904 - Issue with Amazon EMR Secret Agent component

2025 017 ยท 2026-06-05

Actions

Rate this issue

Technical Details

Affected Versions 6.10, 6.11, 6.12, 6.13, 6.14, 6.15, 7.0, 7.1, 7.2, 7.3, 7.4
Regions all
CVE IDs CVE-2025-8904
Migration Required Yes
Cost Impact Neutral
IaC Impact High

What This Means

For DevOps Teams

Update Amazon EMR clusters to version 7.5 or higher to apply the security patch for CVE-2025-8904, which removes the vulnerable /tmp/ directory for storing Kerberos credentials, reducing the risk of privilege escalation.

For Platform Teams

Deploy the updated Amazon EMR version 7.5 to incorporate the security fix for the Secret Agent component, enhancing the platform's security posture and protecting sensitive data from potential breaches.

For Executives

Implement the latest Amazon EMR version 7.5 to mitigate the security risk posed by CVE-2025-8904 and protect sensitive credentials from unauthorized access, ensuring compliance and data integrity.

Source

View original AWS announcement โ†’

Weekly AWS Digest in Your Inbox

No spam, no headlines. Just a weekly summary of the 3โ€“7 AWS changes that matter for DevOps and Platform teams.

๐Ÿ“ง Exactly 1 email per week โ€ข Every Tuesday โ€ข Unsubscribe anytime

Today: AWS only. Coming next: Azure and other major clouds.