2022-04-20
AWS Releases Updated Log4j Hot Patches
Amazon Web Services (AWS) has released updated hot patches to address the Log4j security issues. Initially released in December 2021, the patches were found to contain security issues themselves. The vulnerabilities in the original patches were detected by researchers from Palo Alto Networks’ Unit 42.
Editor's Note
The vulnerability addressed here is not log4j, but a problem that resulted from Amazon's hotpatch process "patching" unrelated code that could lead to privilege escalation as the patching process ran with elevated privileges. Overall, the hotpatch was likely still better compared to not patching a critical vulnerability like log4j.

Johannes Ullrich
The December patches introduced flaws which can lead to container escape, so apply the new patches now. For Kubernetes clusters, make sure to deploy the current daemonset, for Hotdog users need to update to the latest version and standalone ec2 hosts apply the latest log4j-cve rpm.

Lee Neely
Read more in
Unit 42: AWS's Log4Shell Hot Patch Vulnerable to Container Escape and Privilege Escalation
AWS: Reported Apache Log4j Hotpatch Issues
Gov Infosecurity: AWS Log4Shell Patch Has 'Severe Security Issues': Unit 42
Bleeping Computer: Amazon Web Services fixes container escape in Log4Shell hotfix
The Register: AWS's Log4j patches blew holes in its own security