AWS Confirms Log4j Hotpatch Fix Leads to Privilege Escalation
Back in December, Amazon released emergency fixes to address the Log4j vulnerability in JVMs across multiple environments, but it looks like these updates still left some security loopholes. Since Amazon published the fixes, security researchers have discovered that the original hot patch left AWS customers vulnerable to container escape and privilege escalation bugs (via The Register).
Log4J is a remote code execution vulnerability in Apache’s popular Java library for logging error messages in applications. This security flaw allows attackers to gain access to all files stored on the target machine and delete/encrypt them for ransomware purposes. This vulnerability affected software and services from major vendors such as Microsoft, Apple, and VMware.
AWS releases new hotpatches for Log4j vulnerability
Amazon Web Services released new security patches earlier this week for Amazon Linux and Amazon Linux 2. These security updates address the high-severity vulnerabilities (tracked as CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, CVE-2022-0071) introduced by Amazon’s Log4j hotpatch. The company has credited Palo Alto Networks’ Unit 42 threat research team, who had reported this bug back in December last year.
Amazon is recommending all AWS customers using Java apps in their off-premise environments to install the latest patches as soon as possible.
“Customers using the hotpatch for Apache Log4j on Amazon Linux can update to the latest hotpatch version by running the following command: sudo yum update. The hotpatch expects an environment containing the latest Linux kernel updates, and customers should not skip any available kernel updates when updating the version of the hotpatch in use,” Amazon explained in its Security Advisory for Apache Log4j Hotpatch Issues.
For AWS customers that use Bottlerocket with the Hotdog fix for Apache Log4j, the latest Bottlerocket release is available with the updated Hotdog version. Along with the release of its security fixes, Microsoft also provided IT admins with a new version of Daemonset that should help to address the vulnerabilities in Kubernetes clusters. If you’re interested, you can learn more about AWS’s Log4j Hot Patch vulnerability in this blog post.
More in Security
Microsoft Defender Vulnerability Management Adds New CVE Reporting Feature
Jun 30, 2022 | Rabia Noureen
Microsoft Releases Patches to Address Azure FabricScape Flaw Affecting Linux Workloads
Jun 29, 2022 | Rabia Noureen
Microsoft Defender for Identity Can Now Detect Insecure Domain Configurations
Jun 27, 2022 | Rabia Noureen
CISA Warns Unpatched VMware Servers Remain Vulnerable to Log4Shell
Jun 24, 2022 | Rabia Noureen
QNAP Releases Patch to Fix PHP Security Flaw Affecting Select NAS Devices
Jun 23, 2022 | Rabia Noureen
Microsoft Unveils New Edge Secured-Core IoT Devices to Block Firmware Attacks
Jun 22, 2022 | Rabia Noureen
Most popular on petri