Security News > 2022 > April > AWS's Log4j patches blew holes in its own security

AWS's Log4j patches blew holes in its own security
2022-04-20 21:51

Amazon Web Services has updated its Log4j security patches after it was discovered the original fixes made customer deployments vulnerable to container escape and privilege escalation.

The vulnerabilities introduced by Amazon's Log4j hotpatch - CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, CVE-2022-0071 - are all high-severity bugs rated 8.8 out of 10 on the CVSS. AWS customers using Java software in their off-prem environments should grab the latest patch set from Amazon and install.

In December, shortly after security researchers sounded the alarm on the now-infamous remote-code execution flaw in Apache's incredibly widely used logging library, Amazon released emergency hot-fixes to close the Log4j RCE in vulnerable JVMs across multiple environments: standalone virtual servers, Kubernetes clusters, Amazon Elastic Container Service instances, and AWS Fargate serverless situations.

Customers using the hotpatch for Apache Log4j on Amazon Linux can update to the new version by running the following command: sudo yum update.

The issue with the earlier AWS patches, according to Unit 42 security researcher Yuval Avrahami, is that they will attempt to patch any process running a binary named "Java" - in order to fix up vulnerable JVMs - and will do so by running the container's "Java" binary with elevated privileges.

The fixed AWS patches spawn "Java" binaries with the appropriate privileges to prevent a container escape, Avrahami wrote.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/04/20/aws_log4j_patches/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-04-19 CVE-2022-0071 Improper Privilege Management vulnerability in Hotdog Project Hotdog
Incomplete fix for CVE-2021-3101.
local
low complexity
hotdog-project CWE-269
8.8
2022-04-19 CVE-2022-0070 Improper Privilege Management vulnerability in Amazon Log4Jhotpatch
Incomplete fix for CVE-2021-3100.
local
low complexity
amazon CWE-269
8.8
2022-04-19 CVE-2021-3101 Improper Privilege Management vulnerability in Hotdog Project Hotdog
Hotdog, prior to v1.0.1, did not mimic the capabilities or the SELinux label of the target JVM process.
local
low complexity
hotdog-project CWE-269
8.8
2022-04-19 CVE-2021-3100 Improper Privilege Management vulnerability in Amazon Log4Jhotpatch
The Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.1-13 didn’t mimic the permissions of the JVM being patched, allowing it to escalate privileges.
local
low complexity
amazon CWE-269
8.8