Log4J Vulnerabilities - Amazon Resolutions (Updated to 10 Dec 2021)
The information provided below is referred from https://aws.amazon.com/security/security-bulletins/AWS-2021-006/.
- Dec 10, 2021
- High
AWS is aware of the recently disclosed issues relating to the open-source Apache “Log4j2″ utility (CVE-2021-44228 and CVE-2021-45046).
Responding to security issues such as this one shows the value of having multiple layers of defensive technologies, which is so important to maintaining the security of our customers’ data and workloads. They have taking this issue very seriously, and our world-class team of engineers has been working around the clock on our response and remediation. They expect to rapidly restore our full state of defense in depth.
One of the technologies we’ve developed and deployed extensively inside AWS is a hot patch for applications that may include Log4j. This hot patch updates the Java VM to disable the loading of the Java Naming and Directory Interface (JNDI) class, replacing it with a harmless notification message, which is an effective mitigation of CVE-2021-44228 and CVE-2021-45046.
Most of the Amazon Product has been affected by Log4j vulnerabilities as the following:
- Amazon EKS
- Amazon ECS
- Amazon Fargate
The customer need to apply the hotfix to fix
The following Amazon Product has been updated to mitigate the issues identified in CVE-2021-44228
- Amazon Cognito
- Amazon Pinpoint
- Amazon Event Bridge
- Amazon Load Balancing
- AWS Route 53
