Amazon's Hotpatch for Log4j Flaw Vulnerable to Privilege Escalation Bug
Reading Time: 2 minutes

According to Palo Alto Networks, Amazon’s hotpatch for Log4j flaw is vulnerable to privilege escalation bugs. The vulnerabilities can be exploited by bad actors for container escape and privilege escalation, allowing an attacker to seize control of the underlying host.

Yuval Avrahami, a researcher from Palo Alto Networks Unit 42 said, “Aside from containers, unprivileged processes can also exploit the patch to escalate privileges and gain root code execution.” 

The four vulnerabilities discovered, CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, and CVE-2022-0071 all with CVSS scores of 8.8 affect the hotfix solutions provided by AWS. The vulnerabilities stem from a design meant to search for Java processes. The solution can patch them against the Log4j flaw quickly though there is no reliability if new Java processes will run within the restrictions imposed. 

Avrahami further added, “Any process running a binary named ‘java’ – inside or outside of a container – is considered a candidate for the hot patch. A malicious container, therefore, could have included a malicious binary named ‘java’ to trick the installed hot patch solution into invoking it with elevated privileges.”

The bad actors can further elevate privileges to weaponize by the malicious ‘java’ process to skip the container and gain full control over the compromised server.

Similarly, a rough privileges process can be created to execute a malicious binary named “java” to trick the hotpatch service into running it with elevated privileges.

Users have been advised to upgrade to the fixed hot patch version ASAP. This will protect you from being potentially exploited. Though you need to prioritize patching against the actively exploited Log4Shell flaws.

Avrahami concluded by saying, “Containers are often used as a security boundary between applications running on the same machine. A container escape allows an attacker to extend a campaign beyond a single application and compromise neighboring services.”

Related Articles:
New Lenovo UEFI Firmware Vulnerabilities Affect Millions of Laptops
10 Tips for People Using Personal IT to Work From Home
Google Releases Patch for Third Actively Exploited Chrome Zero-Day of 2022