Explain CloudWatch Agent RPM bXXXX release suffix vs -1.amzn20xx (AL2/AL2023) - CVE-2025-61731 / CVE-2025-68119

[rgoltz]

Summary

We install amazon-cloudwatch-agent from the official Amazon Linux repos (AL2 and AL2023). As a result, on AL2023 we have amazon-cloudwatch-agent-1.300064.1b1344-1.x86_64 installed.

For CVE-2025-61731 and CVE-2025-68119, we found guidance that mentions a fixed version like 1.300064.1-1.amzn2023. Because our installed RPM uses a different release string (b1344-1), we cannot tell if we are patched.

Questions

1. Does amazon-cloudwatch-agent-1.300064.1b1344-1.x86_64 include fixes for CVE-2025-61731 and CVE-2025-68119?
2. What does the bXXXX suffix mean in Amazon Linux RPM versions (example: 1.300064.1b1344-1)?
3. How should we map/compare 1.300064.1b1344-1 to 1.300064.1-1.amzn2023 for patch/compliance checks? Any official reference is appreciated.

Environment

• Amazon Linux 2023.10.20260302 (also seen on AL2)
• Installed via dnf from official repos

Evidence (AL2023)

$ rpm -q amazon-cloudwatch-agent
amazon-cloudwatch-agent-1.300064.1b1344-1.x86_64

$ dnf list --showduplicates amazon-cloudwatch-agent
Installed Packages
amazon-cloudwatch-agent.x86_64  1.300064.1b1344-1  @System

Available Packages
amazon-cloudwatch-agent.x86_64  1.300064.1-1.amzn2023  amazonlinux

Notes

AWS-Case: 177323389600039

[rgoltz]

Regarding the CVEs, we reference to the Amazon Linux Security Advisories:

• ALAS2023-2026-1442
• ALAS2-2026-3174

[jefchien]

Hi @rgoltz,

Per our security disclosure guidelines (https://github.com/aws/amazon-cloudwatch-agent?tab=readme-ov-file#security-disclosures)

If you think you’ve found a potential security issue, please do not post it in the Issues. Instead, please follow the instructions here or email AWS security directly.

---

The bXXXX suffix is a build number that is included in the S3, SSM, ECR, and DockerHub releases (see https://hub.docker.com/r/amazon/cloudwatch-agent/tags for examples). It is not present in the Amazon Linux RPM distribution versioning and does not indicate a difference in the source code for the build.

> dnf provides amazon-cloudwatch-agent

...

amazon-cloudwatch-agent-1.300062.1-1.amzn2023.x86_64 : Amazon CloudWatch Agent
Repo        : amazonlinux
Matched from:
Provide    : amazon-cloudwatch-agent = 1.300062.1-1.amzn2023

amazon-cloudwatch-agent-1.300064.1-1.amzn2023.x86_64 : Amazon CloudWatch Agent
Repo        : amazonlinux
Matched from:
Provide    : amazon-cloudwatch-agent = 1.300064.1-1.amzn2023

The important part is 1.x.x.

[rgoltz]

Thanks for the clarification @jefchien - This is very helpful and matches our expectations.

Fully understood regarding the security disclosure guidelines - no concerns there. The reason we included the CVE references and Amazon Linux Security Advisories in the issue title was purely for discoverability: many others running security scanners against AL2/AL2023 will likely encounter the same version string mismatch and may find this issue when researching/google them, once they use (have to use) the same scanner. They all currently running into those false-positive for Advisories like ALAS2023-2026-1442 or ALAS2023-2026-1473.

One follow-up question from our security scanner vendor: Is the behavior of the bXXXX build suffix and the fact that it is absent from the Amazon Linux RPM distribution versioning documented anywhere in the official Amazon Linux 2023 documentation or in official AWS/Amazon Linux release notes? A pointer to a public reference would help them adjust their version detection logic accordingly - which would ultimately benefit the broader community of AL2/AL2023 users running compliance scans from this vendor, which is based in California ;-).

[chadpatel]

Thank you for contacting us regarding CVE-2025-61731 and CVE-2025-68119.

The CloudWatch Agent version you have installed (amazon-cloudwatch-agent-1.300064.1b1344-1.x86_64) is not affected by these CVEs and no customer action is required.

The bXXXX suffix (e.g., b1344) is a build identifier used in S3, SSM, ECR, and DockerHub releases. It is not present in Amazon Linux RPM distribution versioning and does not indicate a difference in the source code. The version 1.300064.1b1344-1 is equivalent to 1.300064.1-1.amzn2023 for compliance purposes.

There are no AL2023-specific binaries for CloudWatch Agent. The same binaries work across both AL2 and AL2023.

If you have questions or concerns, please follow up on this support case.