Amazon Web Services has up to date its Log4j safety patches after it was found the unique fixes made buyer deployments susceptible to container escape and privilege escalation.
The vulnerabilities launched by Amazon’s Log4j hotpatch – CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, CVE-2022-0071 – are all high-severity bugs rated 8.8 out of 10 on the CVSS. AWS clients utilizing Java software program of their off-prem environments ought to seize the most recent patch set from Amazon and set up.
“We recommend that customers who run Java applications in containers, and use either the hotpatch or Hotdog, update to the latest versions of the software immediately,” the cloud big stated in a safety bulletin on Tuesday.
In December, shortly after safety researchers sounded the alarm on the now-infamous remote-code execution flaw in Apache’s extremely broadly used logging library, Amazon launched emergency hot-fixes to shut the Log4j RCE in susceptible JVMs throughout a number of environments: standalone digital servers, Kubernetes clusters, Amazon Elastic Container Service (ECS) situations, and AWS Fargate serverless conditions.
The purpose was to rapidly tackle the logging library vulnerability whereas sysadmins discovered migrating their functions and providers to a non-vulnerable Log4j model.
However, the hot-fixes inadvertently launched new weaknesses. These new bugs, if exploited, may permit a miscreant to flee a container and take over the underlying host server as the foundation person, in keeping with Palo Alto Networks’ Unit 42 menace analysis workforce, which found the failings. Exploitation may thus result in the hijacking of different containers and buyer functions on the host.
Hotdog! AWS releases new hotpatches
AWS this week issued new variations of the hotpatch for Amazon Linux and Amazon Linux 2. Customers utilizing the hotpatch for Apache Log4j on Amazon Linux can replace to the brand new model by operating the next command:
sudo yum replace.
Customers utilizing Bottlerocket with the Hotdog repair for Apache Log4j can replace to the newest Bottlerocket launch, which incorporates the up to date model of Hotdog.
To tackle the vulns in Kubernetes clusters, customers can set up the newest Daemonset offered by AWS, which incorporates the fastened hotpatch.
The challenge with the sooner AWS patches, in keeping with Unit 42 safety researcher Yuval Avrahami, is that they may try to patch any course of operating a binary named “java” – with a view to repair up susceptible JVMs – and can achieve this by operating the container’s “java” binary with elevated privileges. As he defined:
We’re advised a container with a malicious binary named “java” would subsequently be invoked by the patch, with ample privileges to flee the container, and take over the host.
Unit 42 created a proof-of-concept video that exhibits a supply-chain assault by way of a malicious container picture that exploits the sooner patch. Similarly, current compromised containers can exploit the vuln to flee and take over their underlying host. But the safety workforce “decided not to share the exploit’s implementation details at this time to prevent malicious parties from weaponizing it.”
The fastened AWS patches spawn “java” binaries with the suitable privileges to stop a container escape, Avrahami wrote. ®