Security News > 2022 > April > AWS's Log4j patches blew holes in its own security

Amazon Web Services has updated its Log4j security patches after it was discovered the original fixes made customer deployments vulnerable to container escape and privilege escalation.

The vulnerabilities introduced by Amazon's Log4j hotpatch - CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, CVE-2022-0071 - are all high-severity bugs rated 8.8 out of 10 on the CVSS. AWS customers using Java software in their off-prem environments should grab the latest patch set from Amazon and install.

In December, shortly after security researchers sounded the alarm on the now-infamous remote-code execution flaw in Apache's incredibly widely used logging library, Amazon released emergency hot-fixes to close the Log4j RCE in vulnerable JVMs across multiple environments: standalone virtual servers, Kubernetes clusters, Amazon Elastic Container Service instances, and AWS Fargate serverless situations.

Customers using the hotpatch for Apache Log4j on Amazon Linux can update to the new version by running the following command: sudo yum update.

The issue with the earlier AWS patches, according to Unit 42 security researcher Yuval Avrahami, is that they will attempt to patch any process running a binary named "Java" - in order to fix up vulnerable JVMs - and will do so by running the container's "Java" binary with elevated privileges.

The fixed AWS patches spawn "Java" binaries with the appropriate privileges to prevent a container escape, Avrahami wrote.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/04/20/aws_log4j_patches/