AWS Confirms Log4j Hotpatch Fix Leads to Privilege Escalation
Back in December, Amazon released emergency fixes to address the Log4j vulnerability in JVMs across multiple environments, but it looks like these updates still left some security loopholes. Since Amazon published the fixes, security researchers have discovered that the original hot patch left AWS customers vulnerable to container escape and privilege escalation bugs (via The Register).
Log4J is a remote code execution vulnerability in Apache’s popular Java library for logging error messages in applications. This security flaw allows attackers to gain access to all files stored on the target machine and delete/encrypt them for ransomware purposes. This vulnerability affected software and services from major vendors such as Microsoft, Apple, and VMware.
AWS releases new hotpatches for Log4j vulnerability
Amazon Web Services released new security patches earlier this week for Amazon Linux and Amazon Linux 2. These security updates address the high-severity vulnerabilities (tracked as CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, CVE-2022-0071) introduced by Amazon’s Log4j hotpatch. The company has credited Palo Alto Networks’ Unit 42 threat research team, who had reported this bug back in December last year.
Amazon is recommending all AWS customers using Java apps in their off-premise environments to install the latest patches as soon as possible.
“Customers using the hotpatch for Apache Log4j on Amazon Linux can update to the latest hotpatch version by running the following command: sudo yum update. The hotpatch expects an environment containing the latest Linux kernel updates, and customers should not skip any available kernel updates when updating the version of the hotpatch in use,” Amazon explained in its Security Advisory for Apache Log4j Hotpatch Issues.
For AWS customers that use Bottlerocket with the Hotdog fix for Apache Log4j, the latest Bottlerocket release is available with the updated Hotdog version. Along with the release of its security fixes, Microsoft also provided IT admins with a new version of Daemonset that should help to address the vulnerabilities in Kubernetes clusters. If you’re interested, you can learn more about AWS’s Log4j Hot Patch vulnerability in this blog post.
More in Security
Build 2022: Microsoft Boosts Data Analytics and Cybersecurity in New Training & Certifications
May 24, 2022 | Rabia Noureen
Microsoft Defender for Office 365 to Get Preset Security Policy Improvements In June
May 23, 2022 | Rabia Noureen
Microsoft Detects 254% Spike in XorDDoS Attacks on Linux Servers
May 23, 2022 | Rabia Noureen
CISA Warns Federal Agencies to Mitigate Critical VMware Vulnerabilities by May 23
May 20, 2022 | Rabia Noureen
CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers
May 17, 2022 | Rabia Noureen
F5 Confirms New Remote Code Execution Flaw in BIG-IP Systems
May 9, 2022 | Rabia Noureen
Most popular on petri