Amazon Web Services updated its Log4j security patches after discovering that the original patches made customer deployments vulnerable to container escaping and privilege escalation.
The vulnerabilities introduced by Amazon’s Log4j hotpatch – CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, CVE-2022-0071 – are all high-severity bugs rated 8.8 out of 10 on the CVSS. AWS customers using Java software in their offsite environments should obtain the latest set of patches from Amazon and install it.
“We recommend that customers running Java applications in containers and using the hotpatch or Hotdog immediately update to the latest versions of the software,” the cloud giant said in a security bulletin on Tuesday.
In December, shortly after security researchers sounded the alarm over the now infamous remote code execution flaw in Apache’s incredibly widely used logging library, Amazon released security patches. urgency to shut down the Log4j RCE in vulnerable JVMs in multiple environments: standalone virtual servers, Kubernetes Clusters, Amazon Elastic Container Service (ECS) instances, and AWS Fargate serverless situations.
The goal was to quickly address the logging library vulnerability while system administrators considered migrating their applications and services to a non-vulnerable Log4j version.
However, the patches inadvertently introduced new weaknesses. These new bugs, if exploited, could allow a malefactor to escape from a container and take control of the underlying host server as the root user, according to the Threat Research Team of Palo Alto Networks Unit 42, which discovered the vulnerabilities. Exploitation could thus lead to the hijacking of other containers and client applications on the host.
Hot dog! AWS releases new patches
AWS released new versions of the hotpatch for Amazon Linux and Amazon Linux 2 this week. Customers using the hotpatch for Apache Log4j on Amazon Linux can update to the new version by running the following command:
sudo yum update.
Customers using Bottlerocket with the Hotdog patch for Apache Log4j can update to the latest version of Bottlerocket, which includes the updated version of Hotdog.
To address vulnerabilities in Kubernetes clusters, users can install the latest Daemonset provided by AWS, which includes the patched hotpatch.
The problem with previous AWS patches, according to Unit 42 security researcher Yuval Avrahami, is that they will attempt to fix any process running a binary named “java” – in order to fix vulnerable JVMs – and will do so by running the container. Binary “java” with elevated privileges and security removed. As he explained:
We are told that a container with a malicious binary named “java” would therefore be invoked by the patch, with sufficient privileges to escape the container and take control of the host.
Unit 42 has created a proof-of-concept video that shows a supply chain attack via a malicious container image that leverages the previous patch. Likewise, existing compromised containers can exploit the vulnerability to escape and take control of their underlying host. But the security team “decided not to share implementation details of the exploit at this time to prevent malicious parties from weaponizing it.”
Patched AWS patches generate “java” binaries with appropriate privileges to prevent a container leak, Avrahami wrote. ®