Amazon Web Services released a new advisory to provide guidance to address the four security issues, which are now fixed. They were found in AWS’s hot patch from December that addressed the Log4Shell vulnerability, tracked as CVE-2021-44228 and CVE-2021-45046. The new four security issueas are tracked as CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, and CVE-2022-0071 and all of them have a CVSS score of 8.8.
Log4j hotpatch issues
AWS stated that the issues within this hotpatch, and the associated OCI hooks for Bottlerocket (Hotdog) were reported by security researchers. The issues are addressed by the AWS within a new version of the hotpatch, and a new version of Hotdog. AWS urged users who run Java applications in containers, and use either the hotpatch or Hotdog to update to the latest version as soon as possible.
The latest package names and versions of the hotpatch for Amazon Linux and Amazon Linux 2 are:
- Amazon Linux: log4j-cve-2021-44228-hotpatch-1.1-16.amzn1
- Amazon Linux 2: log4j-cve-2021-44228-hotpatch-1.1-16.amzn2
Users can update to the latest hotpatch version with the following command:
sudo yum update
Security researchers at Palo Alto Network’s Unit 42, who discovered the issued and reported them to the cloud giant said,
« Given the urgency surrounding Log4Shell, users may have deployed hot patches at scale, inadvertently putting container environments at risk. We encourage users to upgrade to the fixed hot patch version as soon as possible. Multitenant container environments and clusters running untrusted images are especially at risk.
If you’re still patching against Log4Shell, prioritize that effort first. While the presented issues can lead to severe attacks against container environments, Log4Shell has rightfully earned its spot as one of the worst vulnerabilities of all time and is still being actively exploited.
We’d like to thank AWS for their partnership and coordination in remediating this vulnerability efficiently. As Log4Shell exploitation peaked, AWS’s hot patch helped the community stop countless attacks. With these vulnerabilities fixed, it’s now possible to use the hot patch to address Log4Shell while also keeping container environments secure. »