Wednesday06 July 2022

Amazon’s Awkward Moment as Log4J Fix has an Escalation and Escape Bug

Reading time is around minutes.

It seems that Amazon’s hotfix for Log4Shell in their AWS environment might have been a bit rushed. According to a review of the hot there are a total of four CVEs specifically related to the hotfix and how it functions. CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, and CVE-2022-0071 have a CVSS score of 8.8 and allow for privilege escalation and container escape. It is not often that a fix for one bad bug contains a potentially worse one, but here we are.

The issue at play here is in the way the hotfix looks for versions of Java to patch. In the current flavor of the patch the search is only looking for processes named “java”, it is not checking the process and is not running it inside the restrictions of an containers involved. If a malicious container or compute device contains a binary names java, the hot fix will run it potentially with elevated privileges allowing for follow on escape from the container and compromise of the server. The same can be said of a malicious process injected into an already operating container or server. If an attacker can push of invoke this new binary the hotfix will try to execute it and allow for the same style escalation and escape.

Log4Shell was and still is a significant issue as some systems and applications remain without proper remediation or mitigations steps. Added to this mix are the as yet unpatched systems still out there. To see a flaw show up like this in a hotfix is does not instill confidence in remediation steps. It also comes as threat intelligence indicates that IABs (initial access brokers) are specifically targeting AWS and other cloud services looking for Log4J. Organizations should be aware of this new potential threat vector and take appropriate steps to mitigate it as we are likely to see interest in this flaw from IABs and APT groups alike.

The good news is that Amazon does have an updated version of the hotfix and recommends updating to it as soon as possible after ensuring that they have updated any potentially vulnerable applications that exist in their environments. Log4Shell is another flaw we put in the “gift that keeps on giving” category.
Happy Patching.

Last modified on Friday, 22 April 2022 10:17

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.