CVE-2022-0070

Public on 2022-04-18
Modified on 2022-04-18
Description

The Apache Log4j hotpatch package starting with log4j-cve-2021-44228-hotpatch-1.1-16 will now explicitly mimic the Linux capabilities and cgroups of the target Java process that the hotpatch is applied to.

In order to mimic the Linux capabilities of the target process, Amazon Linux 1 customers need to be running kernel version 4.14.275-142.503 or later, while Amazon Linux 2 customers on ARM need to be running kernel versions 4.14.275-207.503, 5.4.188-104.359, 5.10.109-104.500 or later. Amazon Linux 2 customers on Intel or AMD instances do not need an updated kernel.

Severity
Important
See what this means
CVSS v3 Base Score
8.8
See breakdown

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 1 log4j-cve-2021-44228-hotpatch 2022-04-18 19:44 ALAS-2022-1580
Amazon Linux 2 - Core log4j-cve-2021-44228-hotpatch 2022-04-18 19:43 ALAS2-2022-1773

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 8.8 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
NVD CVSSv2 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C
NVD CVSSv3 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

Red Hat: CVE-2022-0070 Mitre: CVE-2022-0070 FAQs regarding Amazon Linux ALAS/CVE Severity