Amazon Web Services Log4j patches blew holes in own security • The Register

Date:

CHOOSE YOUR CHOICE GIFT CARD OFFER TODAY


Amazon Web Services has updated its Log4j security patches after it was discovered the original fixes made customer deployments vulnerable to container escape and privilege escalation.

CHOOSE YOUR CHOICE GIFT CARD OFFER TODAY

The vulnerabilities introduced by Amazon’s Log4j hotpatch – CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, CVE-2022-0071 – are all high-severity bugs rated 8.8 out of 10 on the CVSS. AWS customers using Java software in their off-prem environments should grab the latest patch set from Amazon and install.

“We recommend that customers who run Java applications in containers, and use either the hotpatch or Hotdog, update to the latest versions of the software immediately,” the cloud giant said in a security bulletin on Tuesday.

CHOOSE YOUR CHOICE GIFT CARD OFFER TODAY

In December, shortly after security researchers sounded the alarm on the now-infamous remote-code execution flaw in Apache’s incredibly widely used logging library, Amazon released emergency hot-fixes to close the Log4j RCE in vulnerable JVMs across multiple environments: standalone virtual servers, Kubernetes clusters, Amazon Elastic Container Service (ECS) instances, and AWS Fargate serverless situations.

CHOOSE YOUR CHOICE GIFT CARD OFFER TODAY

The goal was to quickly address the logging library vulnerability while sysadmins figured out migrating their applications and services to a non-vulnerable Log4j version.

CHOOSE YOUR CHOICE GIFT CARD OFFER TODAY

However, the hot-fixes inadvertently introduced new weaknesses. These new bugs, if exploited, could allow a miscreant to escape a container and take over the underlying host server as the root user, according to Palo Alto Networks’ Unit 42 threat research team, which discovered the flaws. Exploitation could thus lead to the hijacking of other containers and customer applications on the host.

Hotdog! AWS releases new hotpatches

AWS this week issued new versions of the hotpatch for Amazon Linux and Amazon Linux 2. Customers using the hotpatch for Apache Log4j on Amazon Linux can update to the new version by running the following command: sudo yum update

Customers using Bottlerocket with the Hotdog fix for Apache Log4j can update to the latest Bottlerocket release, which includes the updated version of Hotdog.

To address the vulns in Kubernetes clusters, users can install the latest Daemonset provided by AWS, which includes the fixed hotpatch.

The issue with the earlier AWS patches, according to Unit 42 security researcher Yuval Avrahami, is that they will attempt to patch any process running a binary named “java” – in order to fix up vulnerable JVMs – and will do so by running the container’s “java” binary with elevated privileges. As he explained:

CHOOSE YOUR CHOICE GIFT CARD OFFER TODAY

We’re told a container with a malicious binary named “java” would therefore be invoked by the patch, with sufficient privileges to escape the container, and take over the host.

Unit 42 created a proof-of-concept video that shows a supply-chain attack via a malicious container image that exploits the earlier patch. Similarly, existing compromised containers can exploit the vuln to escape and take over their underlying host. But the security team “decided not to share the exploit’s implementation details at this time to prevent malicious parties from weaponizing it.”

The fixed AWS patches spawn “java” binaries with the appropriate privileges to prevent a container escape, Avrahami wrote. ®



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Share post:

Subscribe

Popular

More like this
Related

How to budget for the fun things when your money is stretched and costs keep rising

Many of us have had our wallets and...

After Great Resignation and quiet quitting, ‘loud layoffs’ are here

Shocking layoff news is overshadowing a bright job...

Cyberpunk 2077 for £1.43! Get an Xbox or PlayStation bargain | Gaming | Entertainment

Cyberpunk 2077 is one of the most high-profile...