AWS Releases Updated Log4j Hot Patches
Amazon Web Services (AWS) has released updated hot patches to address the Log4j security issues. Initially released in December 2021, the patches were found to contain security issues themselves. The vulnerabilities in the original patches were detected by researchers from Palo Alto Networks’ Unit 42.
The vulnerability addressed here is not log4j, but a problem that resulted from Amazon's hotpatch process "patching" unrelated code that could lead to privilege escalation as the patching process ran with elevated privileges. Overall, the hotpatch was likely still better compared to not patching a critical vulnerability like log4j.
The December patches introduced flaws which can lead to container escape, so apply the new patches now. For Kubernetes clusters, make sure to deploy the current daemonset, for Hotdog users need to update to the latest version and standalone ec2 hosts apply the latest log4j-cve rpm.
Read more in
Gov Infosecurity: AWS Log4Shell Patch Has 'Severe Security Issues': Unit 42
Bleeping Computer: Amazon Web Services fixes container escape in Log4Shell hotfix
The Register: AWS's Log4j patches blew holes in its own security