ALAS2-2022-1773


Amazon Linux 2 Security Advisory: ALAS-2022-1773
Advisory Release Date: 2022-04-18 19:43 Pacific
Advisory Updated Date: 2022-04-19 19:17 Pacific
Severity: Important

Issue Overview:

The Apache Log4j hotpatch package starting with log4j-cve-2021-44228-hotpatch-1.1-16 will now explicitly mimic the Linux capabilities and cgroups of the target Java process that the hotpatch is applied to.

In order to mimic the Linux capabilities of the target process, Amazon Linux 1 customers need to be running kernel version 4.14.275-142.503 or later, while Amazon Linux 2 customers on ARM need to be running kernel versions 4.14.275-207.503, 5.4.188-104.359, 5.10.109-104.500 or later. Amazon Linux 2 customers on Intel or AMD instances do not need an updated kernel. (CVE-2022-0070)


Affected Packages:

log4j-cve-2021-44228-hotpatch


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update log4j-cve-2021-44228-hotpatch to update your system.

New Packages:
noarch:
    log4j-cve-2021-44228-hotpatch-1.1-16.amzn2.noarch

src:
    log4j-cve-2021-44228-hotpatch-1.1-16.amzn2.src