Amazon Linux 2 Security Advisory: ALAS-2022-1806
Advisory Release Date: 2022-06-13 16:56 Pacific
Advisory Updated Date: 2022-07-08 12:43 Pacific
Versions of the Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.3-5 are affected by a race condition that could lead to a local privilege escalation.
The Apache Log4j Hotpatch is not a replacement for updating to a log4j version that mitigates CVE-2021-44228 or CVE-2021-45046, it provides a temporary mitigation to CVE-2021-44228 by hotpatching local Java virtual machines. To do so, the hotpatch script iterates through all running Java processes, performs several checks, and executes the Java virtual machine with the same permissions and capabilities as the running process to load the hotpatch.
A local user could cause the hotpatch script to execute a binary with elevated privileges by running a custom “java” process which performs exec() of a set user ID binary after the hotpatch has observed the process path and before it has observed its effective user ID.
To leverage this issue a user must already have local access to the target system with permissions to run custom programs.
Affected Packages:
log4j-cve-2021-44228-hotpatch
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update log4j-cve-2021-44228-hotpatch to update your system.
noarch:
log4j-cve-2021-44228-hotpatch-1.3-5.amzn2.noarch
src:
log4j-cve-2021-44228-hotpatch-1.3-5.amzn2.src