AWS’s Log4j patches blew holes in its own security

Share on facebook
Share on twitter
Share on linkedin
Share on reddit

Amazon Web Services has updated its Log4j security patches after it was discovered the original fixes made customer deployments vulnerable to container escape and privilege escalation.

The vulnerabilities introduced by Amazon’s Log4j hotpatch – CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, CVE-2022-0071 – are all high-severity bugs rated 8.8 out of 10 on the CVSS. AWS customers using Java software in their off-prem environments should grab the latest patch set from Amazon and install.

“We recommend that customers who run Java applications in containers, and use either the hotpatch or Hotdog, update to the latest versions of the software immediately,” the cloud giant said in a security bulletin on Tuesday.

In December, shortly after security researchers sounded the alarm on the now-infamous remote-code execution flaw in Apache’s incredibly widely used logging library, Amazon released emergency hot-fixes to close the Log4j RCE in vulnerable JVMs across multiple environments: standalone virtual servers, Kubernetes clusters, Amazon Elastic Container Service (ECS) instances, and AWS Fargate serverless situations.

The goal was to quickly address the logging library vulnerability while sysadmins figured out migrating their applications and services to a non-vulnerable Log4j version.

However, the hot-fixes inadvertently introduced new weaknesses. These new bugs, if exploited, could allow a miscreant to escape a container and take over the underlying host server as the root user, according to Palo Alto Networks’ Unit 42 threat research team, which discovered the flaws. Exploitation could thus lead to the hijacking of other containers and customer applications on the host.

Hotdog!

Read more

Explore the site

More from the blog

Latest News