Amazon Linux Hotpatch Announcement for Apache Log4j
Announcement 2021-001
Published on 2021-12-14 04:45 Pacific
Last Updated on 2023-05-03 15:00 Pacific
Amazon Linux 1 (AL1) and Amazon Linux 2 (AL2) by default use a log4j version that is not affected by CVE-2021-44228 or CVE-2021-45046. However, customers may be running their own log4j version on AL1 or AL2. To help customers who are running a JDK8, JDK11, JDK15, or JDK17 Java Virtual Machine (JVM) mitigate CVE-2021-44228 or CVE-2021-45046, Amazon Linux released a new package that includes the recently announced Hotpatch for Apache Log4j. Customers that bring their own log4j version can install this package by running yum install log4j-cve-2021-44228-hotpatch
.
Installing the hotpatch is not a replacement for updating to a log4j version that mitigates CVE-2021-44228 or CVE-2021-45046. This is a mitigation that customers using AL1 and AL2 can install on their systems when they are unable to update to a log4j version that mitigates CVE-2021-44228 or CVE-2021-45046. A service is included that checks every second to apply the update to running JVMs on AL1 and AL2. Amazon Linux 2023 does not include the hotpatch.
Starting Friday, 2021-12-17, JDKs shipped in Amazon Linux 1 and Amazon Linux 2 will automatically install the hotpatch package. JDKs shipped in Amazon Linux 2023 do NOT install the hotpatch package. If you need to disable the hotpatch, this can be done by running sudo touch /etc/log4j-cve-2021-44228-hotpatch.kill
. This command will create a file that the hotpatch service will detect and will no longer attempt to apply the hotpatch to any running JVM it finds.
For additional details, see the advisories listed below.
Updates to Prior Hotpatch Versions
A previous version (1.1-9) of the hotpatch RPM had an issue where if -Xms is used to set the minimum heap size to a large value (>=32GB) along with the -XX:+AlwaysPreTouch option. This can be remediated by either not starting with -XX:+AlwaysPreTouch or by disabling the hotpatch as described above.
A previous version of the service applied the hotpatch every 30 minutes, only supported JDK8 and JDK11, and did not have the capability of patching JVMs running in containers. Make sure you have the latest version by running yum update log4j-cve-2021-44228-hotpatch
.
High Performance Computing on AL2
The Amazon Linux team is aware of reports that some latency-sensitive High Performance Computing (HPC) workloads experience degraded performance on AL2 hosts running the log4j hotpatch service. If you have ascertained that your systems are fully patched and are no longer impacted by CVE-2021-44228 or CVE-2021-45046, you can choose to not run the log4j hotpatch service.
To prevent the service from being started on an AL2 instance (even before the hotpatch RPM is installed), you can run systemctl mask log4j-cve-2021-44228-hotpatch
. Please note that masking the service will not stop the service if it is running.
To stop all hotpatch services, run systemctl stop log4j-cve-2021-44228-hotpatch
.
Advisories
- Amazon Linux 1 - ALAS-2021-1553
- Amazon Linux 2 - ALAS2-2021-1731
- Amazon Linux 2 - ALAS2CORRETTO8-2021-001
- Amazon Linux 2 - ALAS2JAVA-OPENJDK11-2021-001