Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

Amazon’s Hotpatch for Log4j Flaw Found Vulnerable to Privilege Escalation Bug

Log4j Flaw

The “hotpatch” released by Amazon Web Services (AWS) in response
to the Log4Shell[1]
vulnerabilities could be leveraged for container escape and
privilege escalation, allowing an attacker to seize control of the
underlying host.

“Aside from containers, unprivileged processes can also exploit
the patch to escalate privileges and gain root code execution,”
Palo Alto Networks Unit 42 researcher Yuval Avrahami said[2]
in a report published this week.

CyberSecurity

The issues — CVE-2021-3100[3], CVE-2021-3101[4], CVE-2022-0070[5], and CVE-2022-0071[6]
(CVSS scores: 8.8) — affect the hotfix solutions[7]
shipped by AWS, and stem from the fact that they are designed to
search for Java processes and patch them against the Log4j flaw on
the fly but without ensuring that the new Java processes are run
within the restrictions imposed on the container.

“Any process running a binary named ‘java’ – inside or outside
of a container – is considered a candidate for the hot patch,”
Avrahami elaborated. “A malicious container therefore could have
included a malicious binary named ‘java’ to trick the installed hot
patch solution into invoking it with elevated privileges.”

In the subsequent step, the elevated privileges could be
weaponized by the malicious ‘java’ process to escape the container
and gain full control over the compromised server.

CyberSecurity

A rogue unprivileged process, in a similar manner, could have
created and executed a malicious binary named “java” to trick the
hotpatch service into running it with elevated privileges.

Users are recommended[8]
to upgrade to the fixed hot patch version as soon as possible to
prevent potential exploitation, but only after prioritizing
patching against the actively exploited Log4Shell flaws.

“Containers are often used as a security boundary between
applications running on the same machine,” Avrahami said. “A
container escape allows an attacker to extend a campaign beyond a
single application and compromise neighboring services.”

References

  1. ^
    Log4Shell
    (thehackernews.com)
  2. ^
    said
    (unit42.paloaltonetworks.com)
  3. ^
    CVE-2021-3100
    (nvd.nist.gov)
  4. ^
    CVE-2021-3101
    (nvd.nist.gov)
  5. ^
    CVE-2022-0070
    (nvd.nist.gov)
  6. ^
    CVE-2022-0071
    (nvd.nist.gov)
  7. ^
    hotfix
    solutions     (alas.aws.amazon.com)
  8. ^
    recommended
    (aws.amazon.com)

Read more