Initial Publication Date: 2022/04/19 14:30 PST
CVE IDs: CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, CVE-2022-0071

On December 12, 2021, Amazon publicly released a hotpatch for running Java VMs which disables the loading of the Java Naming and Directory Interface (JNDI) class. This hotpatch provides an immediate mitigation for critical issues within the open-source Apache “Log4j2" utility (CVE-2021-44228 and CVE-2021-45046) while allowing system administrators sufficient time to fully patch impacted environments. Security researchers recently reported issues within this hotpatch, and the associated OCI hooks for Bottlerocket (“Hotdog”). We have addressed these issues within a new version of the hotpatch, and a new version of Hotdog. We recommend that customers who run Java applications in containers, and use either the hotpatch or Hotdog, update to the latest versions of the software immediately. The latest package names and versions of the hotpatch for Amazon Linux and Amazon Linux 2 are as follows:

  • Amazon Linux: log4j-cve-2021-44228-hotpatch-1.1-16.amzn1
  • Amazon Linux 2: log4j-cve-2021-44228-hotpatch-1.1-16.amzn2

Customers using the hotpatch for Apache Log4j on Amazon Linux can update to the latest hotpatch version by running the following command: sudo yum update. The hotpatch expects an environment containing the latest Linux kernel updates, and customers should not skip any available kernel updates when updating the version of the hotpatch in use. More information is available within the Amazon Linux Security Center: https://alas.aws.amazon.com

Customers using Bottlerocket with the hotpatch for Apache Log4j feature enabled should update to the latest release of Bottlerocket, which includes the most recent version of Hotdog.

We would like to thank Palo Alto Networks for reporting these issues.

Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.