AWS Confirms Log4j Hotpatch Fix Leads to Privilege Escalation

AWS (Amazon Web Services)

Back in December, Amazon released emergency fixes to address the Log4j vulnerability in JVMs across multiple environments, but it looks like these updates still left some security loopholes. Since Amazon published the fixes, security researchers have discovered that the original hot patch left AWS customers vulnerable to container escape and privilege escalation bugs (via The Register).

Log4J is a remote code execution vulnerability in Apache’s popular Java library for logging error messages in applications. This security flaw allows attackers to gain access to all files stored on the target machine and delete/encrypt them for ransomware purposes. This vulnerability affected software and services from major vendors such as Microsoft, Apple, and VMware.

AWS releases new hotpatches for Log4j vulnerability

Amazon Web Services released new security patches earlier this week for Amazon Linux and Amazon Linux 2. These security updates address the high-severity vulnerabilities (tracked as CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, CVE-2022-0071) introduced by Amazon’s Log4j hotpatch. The company has credited Palo Alto Networks’ Unit 42 threat research team, who had reported this bug back in December last year.

Amazon is recommending all AWS customers using Java apps in their off-premise environments to install the latest patches as soon as possible.

“Customers using the hotpatch for Apache Log4j on Amazon Linux can update to the latest hotpatch version by running the following command: sudo yum update. The hotpatch expects an environment containing the latest Linux kernel updates, and customers should not skip any available kernel updates when updating the version of the hotpatch in use,” Amazon explained in its Security Advisory for Apache Log4j Hotpatch Issues.

For AWS customers that use Bottlerocket with the Hotdog fix for Apache Log4j, the latest Bottlerocket release is available with the updated Hotdog version. Along with the release of its security fixes, Microsoft also provided IT admins with a new version of Daemonset that should help to address the vulnerabilities in Kubernetes clusters. If you’re interested, you can learn more about AWS’s Log4j Hot Patch vulnerability in this blog post.