AWS has updated its Log4j security patches after it was discovered the original fixes made customer deployments vulnerable to container escape and privilege escalation.
The vulnerabilities introduced by Amazon’s Log4j hotpatch CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, CVE-2022-0071 are all high-severity bugs rated 8.8 out of 10 on the CVSS. AWS customers using Java software in their off-prem environments should grab the latest patch set from Amazon and install.
Amazon recommends customers who run Java applications in containers, and use either the hotpatch or Hotdog, update to the latest versions.
Late year at the end,Amazon released emergency hot-fixes to close the Log4j RCE in vulnerable JVMs across multiple environments: standalone virtual servers, Kubernetes clusters, Amazon ECS instances, and AWS Fargate serverless situations.
The goal was to quickly address the logging library vulnerability while sysadmins figured out migrating their applications and services to a non-vulnerable Log4j version.
The hot-fixes inadvertently introduced new weaknesses. These new bugs, if exploited, could allow a miscreant to escape a container and take over the underlying host server as the root user. Exploitation could thus lead to the hijacking of other containers and customer applications on the host.
AWS issued new versions of the hotpatch for Amazon Linux and Amazon Linux 2. Customers using the hotpatch for Apache Log4j on Amazon Linux can update to the new version by running the following command:
sudo yum update.
Customers using Bottlerocket with the Hotdog fix for Apache Log4j can update to the latest Bottlerocket release, which includes the updated version of Hotdog.
To address the vulns in Kubernetes clusters, users can install the latest Daemonset provided by AWS, which includes the fixed hotpatch.