AWS's Log4j patches blew holes in its own security
Remote code exec is so 2014. Have this container escape and privilege escalation, instead
Amazon Web Services has updated its Log4j security patches after it was discovered the original fixes made customer deployments vulnerable to container escape and privilege escalation.
The vulnerabilities introduced by Amazon's Log4j hotpatch – CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, CVE-2022-0071 – are all high-severity bugs rated 8.8 out of 10 on the CVSS. AWS customers using Java software in their off-prem environments should grab the latest patch set from Amazon and install.
"We recommend that customers who run Java applications in containers, and use either the hotpatch or Hotdog, update to the latest versions of the software immediately," the cloud giant said in a security bulletin on Tuesday.
In December, shortly after security researchers sounded the alarm on the now-infamous remote-code execution flaw in Apache's incredibly widely used logging library, Amazon released emergency hot-fixes to close the Log4j RCE in vulnerable JVMs across multiple environments: standalone virtual servers, Kubernetes clusters, Amazon Elastic Container Service (ECS) instances, and AWS Fargate serverless situations.
The goal was to quickly address the logging library vulnerability while sysadmins figured out migrating their applications and services to a non-vulnerable Log4j version.
However, the hot-fixes inadvertently introduced new weaknesses. These new bugs, if exploited, could allow a miscreant to escape a container and take over the underlying host server as the root user, according to Palo Alto Networks' Unit 42 threat research team, which discovered the flaws. Exploitation could thus lead to the hijacking of other containers and customer applications on the host.
Hotdog! AWS releases new hotpatches
AWS this week issued new versions of the hotpatch for Amazon Linux and Amazon Linux 2. Customers using the hotpatch for Apache Log4j on Amazon Linux can update to the new version by running the following command:
sudo yum update.
Customers using Bottlerocket with the Hotdog fix for Apache Log4j can update to the latest Bottlerocket release, which includes the updated version of Hotdog.
To address the vulns in Kubernetes clusters, users can install the latest Daemonset provided by AWS, which includes the fixed hotpatch.
The issue with the earlier AWS patches, according to Unit 42 security researcher Yuval Avrahami, is that they will attempt to patch any process running a binary named "java" – in order to fix up vulnerable JVMs – and will do so by running the container's "java" binary with high privileges and the safeties removed. As he explained:
For example, the 'java' binary was invoked in the container namespaces via the nsenter command (excluding the user namespace). But aside from that, it was spawned with all Linux capabilities, and without the isolation technologies that normally confine containers, such as seccomp and cgroups. It also ran as the root user regardless of the container's user.
We're told a container with a malicious binary named "java" would therefore be invoked by the patch, with sufficient privileges to escape the container, and take over the host.
- Bad things come in threes: Apache reveals another Log4J bug
- VMware Horizon platform pummeled by Log4j-fueled attacks
- AWS fixes local file vuln on internal credential access for Relational Database Service
- Cryptocurrency-mining AWS Lambda-specific malware spotted
Unit 42 created a proof-of-concept video that shows a supply-chain attack via a malicious container image that exploits the earlier patch. Similarly, existing compromised containers can exploit the vuln to escape and take over their underlying host. But the security team "decided not to share the exploit's implementation details at this time to prevent malicious parties from weaponizing it."
The fixed AWS patches spawn "java" binaries with the appropriate privileges to prevent a container escape, Avrahami wrote. ®