Amazon’s Hotfix for Log4Shell is a Hot Mess

Log4Shell is this month’s Log4j.

Due to how bad it is, Amazon released a “HotFix” for AWS users. The hot patch servers, if deployed by users, goes through the user’s environment and looks for vulnerable Java apps and hot patches them.

Only one problem.

Palo Alto Networks Unit 42 discovered a vulnerability which can be used to take over the server or the cluster running the patch service.

The patch service can patch standalone AWS servers, Kubernetes clusters and Elastic Container Service clusters. While it is designed for AWS, it can be installed anywhere.

HOWEVER, Unit 42 says that every container in a cluster can exploit the vulnerability they found and both escape the container and elevate its privilege.

Palo Alto Networks alerted Amazon and Amazon has fixed the fix, but users have to know there is a new version and deploy it.

Hot patches are supposed to be dirty and are designed to only be used until a real fix can be deployed, but there are some drawbacks to that. This is one.

Credit: Portswigger