Hot Patches for Log4Shell Introduced Multiple Vulnerabilities in Amazon Web Services
Amazon Web Services has addressed vulnerabilities introduced by the hot patches released in response to the Log4Shell vulnerability in December.
Antecedentes
On April 19, researchers with Palo Alto’s Unit 42 disclosed four vulnerabilities introduced by the hot patches for Amazon Web Services (AWS) in response to CVE-2021-44228, also known as Log4Shell. While there are four CVEs, CVE-2022-0070 and CVE-2022-0071 were assigned to address incomplete patches for CVE-2021-3100 and CVE-2021-3101 respectively, which were initially disclosed in December 2021.
| CVE | Descripción | CVSSv3 |
|---|---|---|
| CVE-2021-3100 | Apache Log4j Hot Patch Service Execution with Unnecessary Privileges Vulnerability | 8.8 |
| CVE-2021-3101 | Hotdog Hot Patch Solution Execution with Unnecessary Privileges Vulnerability | 8.8 |
| CVE-2022-0070 | Apache Log4j Hotpatch Service Execution with Unnecessary Privileges Vulnerability | 8.8 |
| CVE-2022-0071 | Hotdog Hot Patch Solution Execution with Unnecessary Privileges Vulnerability (Incomplete Fix) | 8.8 |
Análisis
On December 12, in response to the Log4Shell vulnerability, AWS released open source hot patches — short term solutions to be implemented at scale until a more robust fixed version can be deployed — for several environments. These hot patches detect vulnerable Java applications and patch them “on the fly.”
According to the researchers at Unit 42, the hot patch solutions developed to address Log4Shell for standalone servers, Kubernetes clusters, Elastic Container Service (ECS) clusters and Fargate contained “severe security issues.” These hot patches, though from AWS, can be applied to other cloud and on-prem environments.
These issues can be exploited by “every container in [the hot patched] environment” to achieve container escape and host takeover. The vulnerabilities also allow unprivileged processes to escalate privileges and gain code execution with root privileges. The vulnerabilities are not configuration-dependent, they can be exploited in most AWS environments.
Solución
The following is a summary of the solutions for the hot patches:
| Solución | Fixed Version | Lanzar |
|---|---|---|
| Amazon Linux (AMI) | 1.1-16 | log4j-cve-2021-44228-hotpatch |
| Kubernetes | 1.1-16 | kubernetes-log4j-cve-2021-44228-node-agent Daemonset |
| Bottlerocket | 1.02 | hotdog-v1.0.2 |
Identificación de los sistemas afectados
A list of Tenable plugins to identify these vulnerabilities can be found here.
Tenable.cs users can detect vulnerable Kubernetes deployments via the kubernetes-log4j-cve-2021-44228-node-agent hot patch daemonset using open policy agent rego. The rego checks the image version, if it is "v0.0.12-debian" then it finds the corresponding configmap to check the actual package version that the daemonset job will install in the cluster. If Tenable.cs does not detect the fixed version (1.1-16), the product will display an alert.
Obtenga más información
- AWS Security Page for CVE-2021-3100, CVE-2021-3101, CVE-2022-0070 and CVE-2022-0071
- Palo Alto’s Unit 42 Blog Post
Únase al Equipo de respuesta de seguridad de Tenable en Tenable Community.
Obtenga más información sobre Tenable, la primera plataforma de Cyber Exposure para el control integral de la superficie de ataque moderna.
Obtenga una prueba gratuita de 30 días de Tenable.io Vulnerability Management.
Artículos relacionados
Shifting the Paradigm: Why the Cyber Insurance Industry Should Focus on Preventive Security
May 13, 2024As claims and losses climb, it’s clear that preventive security should be prioritized more when designing a cyber insurance policy. Here’s why preventive security investments are cost effective and can lead to lower premiums.
Cybersecurity Snapshot: New Guide Explains How To Assess if Software Is Secure by Design, While NIST Publishes GenAI Risk Framework
May 10, 2024Is the software your company wants to buy securely designed? A new guide outlines how you can find out. Meanwhile, a new NIST framework can help you assess your GenAI systems’ risks. Plus, a survey shows a big disconnect between AI usage (high) and AI governance (low). And MITRE’s breach post-mortem brims with insights and actionable tips. And much more!
CVE-2024-21793, CVE-2024-26026: Proof of Concept Available for F5 BIG-IP Next Central Manager Vulnerabilities
May 9, 2024Researchers disclose multiple vulnerabilities in F5 BIG-IP Next Central Manager and provide proof-of-concept exploit code, which could lead to exposure of hashed passwords.
