Security News > 2022 > April > AWS's Log4j patches blew holes in its own security
Amazon Web Services has updated its Log4j security patches after it was discovered the original fixes made customer deployments vulnerable to container escape and privilege escalation.
The vulnerabilities introduced by Amazon's Log4j hotpatch - CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, CVE-2022-0071 - are all high-severity bugs rated 8.8 out of 10 on the CVSS. AWS customers using Java software in their off-prem environments should grab the latest patch set from Amazon and install.
In December, shortly after security researchers sounded the alarm on the now-infamous remote-code execution flaw in Apache's incredibly widely used logging library, Amazon released emergency hot-fixes to close the Log4j RCE in vulnerable JVMs across multiple environments: standalone virtual servers, Kubernetes clusters, Amazon Elastic Container Service instances, and AWS Fargate serverless situations.
Customers using the hotpatch for Apache Log4j on Amazon Linux can update to the new version by running the following command: sudo yum update.
The issue with the earlier AWS patches, according to Unit 42 security researcher Yuval Avrahami, is that they will attempt to patch any process running a binary named "Java" - in order to fix up vulnerable JVMs - and will do so by running the container's "Java" binary with elevated privileges.
The fixed AWS patches spawn "Java" binaries with the appropriate privileges to prevent a container escape, Avrahami wrote.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/04/20/aws_log4j_patches/
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-04-19 | CVE-2022-0071 | Improper Privilege Management vulnerability in Hotdog Project Hotdog Incomplete fix for CVE-2021-3101. | 8.8 |
2022-04-19 | CVE-2022-0070 | Improper Privilege Management vulnerability in Amazon Log4Jhotpatch Incomplete fix for CVE-2021-3100. | 8.8 |
2022-04-19 | CVE-2021-3101 | Improper Privilege Management vulnerability in Hotdog Project Hotdog Hotdog, prior to v1.0.1, did not mimic the capabilities or the SELinux label of the target JVM process. | 8.8 |
2022-04-19 | CVE-2021-3100 | Improper Privilege Management vulnerability in Amazon Log4Jhotpatch The Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.1-13 didn’t mimic the permissions of the JVM being patched, allowing it to escalate privileges. | 8.8 |