It seems that Amazon’s hotfix for Log4Shell in their AWS environment might have been a bit rushed. According to a review of the hot there are a total of four CVEs specifically related to the hotfix and how it functions. CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, and CVE-2022-0071 have a CVSS score of 8.8 and allow for privilege escalation and container escape. It is not often that a fix for one bad bug contains a potentially worse one, but here we are.

Containers are a popular item with cloud-based infrastructure. The idea of running low-cost (from a resource standpoint) systems to handle work loads while maintaining a higher level of security is a nice one. Making this type of decision does not mean that it puts them out of the reach of attackers though. We have seen several methods used by attackers to gain access to and control of the containers that that are in use. One of the latest is due to a 0-Day flaw in the Argo Continuous Deployment tool.