Amazon Linux 2022 Security Advisory: ALAS-2021-003
Advisory Release Date: 2021-12-10 21:56 Pacific
Advisory Updated Date: 2021-12-11 12:00 Pacific
A flaw was found in the Java logging library Apache Log4j 2 in versions from 2.0-beta9 and before and including 2.14.1. This could allow a remote attacker to execute code on the server if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup. (CVE-2021-44228)
Affected Packages:
log4j
Issue Correction:
Run dnf update --releasever=2022.0.20211210 log4j to update your system.
noarch:
log4j-slf4j-2.15.0-1.amzn2022.0.1.noarch
log4j-2.15.0-1.amzn2022.0.1.noarch
log4j-jcl-2.15.0-1.amzn2022.0.1.noarch
src:
log4j-2.15.0-1.amzn2022.0.1.src