ALAS2-2022-1734


Amazon Linux 2 Security Advisory: ALAS-2022-1734
Advisory Release Date: 2022-01-18 21:37 Pacific
Advisory Updated Date: 2022-01-20 19:32 Pacific
Severity: Medium

Issue Overview:

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2. (CVE-2021-44832)


Affected Packages:

aws-kinesis-agent


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update aws-kinesis-agent to update your system.

New Packages:
noarch:
    aws-kinesis-agent-2.0.6-1.amzn2.noarch

src:
    aws-kinesis-agent-2.0.6-1.amzn2.src