ALAS2-2022-1734

Amazon Linux 2 Security Advisory: ALAS-2022-1734
Advisory Release Date: 2022-01-18 21:37 Pacific
Advisory Updated Date: 2022-01-20 19:32 Pacific

Severity: Medium

References: CVE-2021-44832
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2. (CVE-2021-44832)

Affected Packages:

aws-kinesis-agent

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update aws-kinesis-agent to update your system.

New Packages:

noarch:
    aws-kinesis-agent-2.0.6-1.amzn2.noarch

src:
    aws-kinesis-agent-2.0.6-1.amzn2.src

Additional References

Red Hat: CVE-2021-44832

Mitre: CVE-2021-44832

Select your cookie preferences

Customize cookie preferences

Essential

Performance

Functional

Advertising

ALAS2-2022-1734

Additional References