Amazon Web Services (AWS) addressed four security concerns in its December hot patch, including the severe Log4Shell vulnerability (CVE-2021-44228), which affects cloud and on-premise settings running Java applications using a susceptible version of the Log4j logging library or containers.
The Amazon hot patch packages aren’t limited to AWS resources, and they allow a container in the environment to escape and take control of the host. Unprivileged processes might likewise be used to escalate privileges and execute code as if they had root rights. CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, and CVE-2022-0071 are the current identifiers for vulnerabilities. They’ve all been rated as high-severity threats, with an average score of 8.8 out of 10.
The security experts from Palo Alto Network’s Unit 42 said that Amazon’s Log4Shell hot-fix solutions would keep looking for Java processes and patching them on the fly without ensuring that the fixed processes ran inside the container’s constraints.
“A malicious container therefore could have included a malicious binary named “java” to trick the installed hot patch solution into invoking it with elevated privileges,” the researchers explain. “The malicious ‘java’ process could then abuse its elevated privileges to escape the container and take over the underlying host,” they added.
According to Palo Alto Networks, “Containers can escape regardless of whether they run Java applications, or whether their underlying host runs Bottlerocket, AWS’s hardened Linux distribution for containers. Containers running with user namespaces or as a non-root user are affected as well.”
Another issue caused by Amazon’s patch was that host processes were all handled the same way during the Log4Shell fix, with all of them receiving elevated privileges. A malicious actor may potentially plant an unprivileged process binary called “java” and convince the repairing service to run it with elevated privileges.
Palo Alto Networks researchers discovered the security flaws in the AWS updates six days after being released and notified Amazon on December 21, 2021. On December 23, 2021, the AWS security team recognized the flaws and attempted to patch them with a new release. However, the fixes were insufficient.
Unit 42 supplied further details on how they got around the new remedies in the months that followed, and by April 4, 2022, the remaining flaws were minor. AWS announced the final upgrades for its Log4Shell patching solutions on April 19, 2022, which administrators can install in one of the following ways:
- Users of Kubernetes can install the most recent version of Daemonset, which will not affect the Log4Shell fix.
- Users of Hotdog can upgrade to the most recent version available.
- The following commands can be used to upgrade standalone hosts:
“yum update log4j-cve-2021-44228-hotpatch” (RPM)
“apt install –only-upgrade log4j-cve-2021-44228-hotpatch” (DEB)
The four vulnerabilities uncovered by Palo Alto Networks’ Unit 42 in the Log4Shell hot-patch are as follows:
- CVE-2021-3100: Privilege escalation caused by failure to imitate the permissions of the patched JVM, enabling any process to operate with excessively high privileges (CVSS base score: 8.8)
- CVE-2022-0070: Incomplete fix for CVE-2021-3100
- CVE-2021-3101: On the target JVM, Hotdog does not respect device limitations, syscall filters, or resource limits, which might lead to malicious changes, policy overrides, and resource exhaustion (CVSS base score: 8.8)
- CVE-2022-0071: Incomplete fix for CVE-2021-3101
Amazon has also issued a new alert on the flaws above, offering correct information on fixing the problems. Since the Log4j vulnerability is more severe and regularly exploited, Unit 42 advises against prioritizing resolving container escape issues against Log4Shell.