Security News > 2022 > April > Amazon Web Services fixes container escape in Log4Shell hotfix
Amazon Web Services has fixed four security issues in its hot patch from December that addressed the critical Log4Shell vulnerability affecting cloud or on-premise environments running Java applications with a vulnerable version of the Log4j logging library or containers.
The hot patch packages from Amazon are not exclusive to AWS resources and allowed escaping a container in the environment and taking control of the host.
Security researchers at Palo Alto Network's Unit 42 discovered that Amazon's Log4Shell hot-fix solutions would keep searching for Java processes and patch them on the fly without ensuring that the patched processes run under the restrictions imposed to the container.
"Containers can escape regardless of whether they run Java applications, or whether their underlying host runs Bottlerocket, AWS's hardened Linux distribution for containers. Containers running with user namespaces or as a non-root user are affected as well" - Palo Alto Networks.
Researchers at Palo Alto Networks identified the security issues on the AWS fixes six days after their release of the hotfix and informed Amazon on December 21, 2021.
Unit 42 warns not to prioritize fixing container escape flaws against Log4Shell because the Log4j vulnerability is more severe and actively exploited.