Initial Publication Date: 2021/12/10 7:20 PM PDT
All updates to this issue have moved here.
AWS is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). We are actively monitoring this issue, and are working on addressing it for any AWS services which either use Log4j2 or provide it to customers as part of their service.
We strongly encourage customers who manage environments containing Log4j2 to update to the latest version, available at: https://logging.apache.org/log4j/2.x/download.html or their operating system’s software update mechanism. Additional service-specific information is below.
If you need additional details or assistance, please contact AWS Support.
Amazon EC2
The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228. More information about security-related software updates for Amazon Linux is available at: https://alas.aws.amazon.com.
AWS WAF / Shield
To improve detection and mitigation of risks arising from the recent Log4j security issue, we have updated the AWSManagedRulesKnownBadInputsRuleSet AMR in the AWS WAF service. Customers of CloudFront, Application Load Balancer (ALB), API Gateway, and AppSync can immediately take advantage of this mitigation option, which inspects uri, request body, and commonly used headers to add an additional layer of defense, by creating an AWS WAF web ACL, adding the AWSManagedRulesKnownBadInputsRuleSet to your web ACL, and then associating the web ACL with your CloudFront distribution, ALB, API Gateway or AppSync GraphQL APIs.
More information on getting started with AWS WAF is available here: https://docs.aws.amazon.com/waf/latest/developerguide/getting-started.html
Additional documentation for enabling AMRs is available here: https://docs.aws.amazon.com/waf/latest/developerguide/waf-using-managed-rule-groups.html
Please note that AMRs are not available in WAF Classic, so please upgrade to AWS WAF (wafv2) to take advantage of this mitigation option.
Amazon OpenSearch
We are updating all Amazon OpenSearch Service domains to use a version of “Log4j2” that addresses the issue. You may observe intermittent activity on your domains during the update process.
AWS Lambda
AWS Lambda does not include Log4j2 in its managed runtimes or base container images. These are therefore not affected by the issue described in CVE-2021-44228. Customers using the aws-lambda-java-log4j2 (https://repo1.maven.org/maven2/com/amazonaws/aws-lambda-java-log4j2/) library in their functions will need to update to version 1.3.0 and redeploy.
AWS CloudHSM
CloudHSM JCE SDK versions earlier than 3.4.1 include a version of Apache Log4j affected by this issue. On December 10, 2021, CloudHSM released JCE SDK v3.4.1 with a fixed version of Apache Log4j. If you use CloudHSM JCE versions earlier than 3.4.1, you may be impacted and should remediate by upgrading CloudHSM JCE SDK to version 3.4.1 or higher [1].
[1] https://docs.aws.amazon.com/cloudhsm/latest/userguide/java-library-install.html