AWS resources to address Apache Log4j vulnerabilities
This blog post aims to provide a summary of all the currently disclosed Apache Log4j issues as well as important resources that Amazon Web Services (AWS) has released to help our customers and partners limit any risks associated with these issues.
Log4j issue description and timeline
On December 9, 2021, news broke about a newly discovered issue (CVE-2021-44228) in Apache’s popular Log4j Java-based logging utility. This issue was assigned a severity of “critical” and a base Common Vulnerability Scoring System (CVSS) score of 10.0, affecting several versions of the logging utility. This is the highest, most severe score assigned to any known issue in the National Vulnerability Database (NVD).
At the time of this writing, there have also been two other Log4j issues that have been discovered. The second Log4j issue (CVE-2021-45046) has been assigned a severity of “critical” and a base CVSS score currently at 9.0. This issue could allow an actor to craft malicious input data using a Java Naming and Directory Interface (JNDI) lookup pattern, as the NVD website explains.
The most recent of these Log4j issues is (CVE-2021-45105) with a severity of “high” and a base CVSS score currently at 7.5. This issue could allow an actor to cause a denial of service.
Resources for addressing Log4j
On December 17, the Cybersecurity and Infrastructure Security Agency (CISA) released the “Emergency Directive 22-02 Mitigate Apache Log4j Vulnerability” with some action items for civilian executive branch agencies and deadlines to complete the required action items.
AWS also released several resources to keep our customers and partners aware of our approach to mitigating and limiting any potential risk posed by these recently disclosed Apache Log4j2 issues. Below is a quick summary of some of the most important AWS resources to help with your mitigation strategies for these issues:
For CVE-2021-44228 and the other disclosed issues, the first recommendation is to update Log4j to the latest version. On December 12, AWS released a tool to hotpatch susceptible Log4j deployments. This tool can be used to hotpatch running Java Virtual Machines (JVMs) using Log4j 2.0 and up. The tool looks for JVMs that are running and attempts to mitigate the issue. This hotpatch is designed to address the CVE-2021-44228 remote code execution issue in Log4j without restarting the Java process.
This tool is available on GitHub, though as with all open source software, please note that you are using this tool at your own risk. According to Steve Schmidt, vice president and chief information security officer for AWS, “It’s important that you review, patch, or mitigate this vulnerability as soon as possible.” Read the full details on how this tool works here.
There are several AWS services that customers can leverage to help mitigate and limit any risk posed by the Log4j issues. The following recommendations can help our customers and partners adopt a layered approach for protecting, detecting, and responding to risks posed by Log4j issues.
- Protection: AWS services such as AWS Web Application Firewall (AWS WAF), Amazon Route 53 (Resolver DNS Firewall and DNS query logging), AWS Network Firewall, and the use of Amazon Elastic Compute Cloud (Amazon EC2) Instance MetaData Service version 2 (IMDSv2), as opposed to IMDSv1, can all provide several mechanisms that can help limit any risks posed by Log4j issues.
- Detection: AWS services such as Amazon Inspector, Amazon GuardDuty, AWS Security Hub and the VPC flow logs feature of Amazon Virtual Private Cloud (Amazon VPC) can all be used to help detect the presence of Log4j issues.
- Response: AWS services such as AWS Systems Manager Patch Manager, can be used to help detect the presence of the Log4j issues and provide available patches. For containers, the AWS Kubernetes team has developed an RPM that performs a JVM-level hotpatch which disables JNDI lookups from the Log4j2 library, helping to mitigate Log4j2 CVE-2021-44228 and CVE-2021-45046. More details can be found at this Github page.
For further details on how the above services can be used to help mitigate and limit any risks posed by the Log4j issues, please see the referenced blog post here.
AWS engineers have fully deployed the Amazon-developed Java hotpatch discussed above to all AWS services. They will also soon complete the deployment of the updated Log4j library to all AWS services. See this security bulletin for current updates to AWS services with regards to CVE-2021-44228 and CVE-2021-45046. For additional details or assistance, please contact AWS Support.
For a more comprehensive list of mitigation steps for specific versions of Log4j, please visit the Apache website.
Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox, or contact us.
Please take a few minutes to share insights regarding your experience with the AWS Public Sector Blog in this survey, and we’ll use feedback from the survey to create more content aligned with the preferences of our readers.