Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Serious Vulnerabilities Found in AWS’s Log4Shell Hot Patches

Hot patches made available by Amazon Web Services (AWS) in response to the recent Log4j vulnerabilities could be exploited for privilege escalation or to escape containers, according to Palo Alto Networks.

Hot patches made available by Amazon Web Services (AWS) in response to the recent Log4j vulnerabilities could be exploited for privilege escalation or to escape containers, according to Palo Alto Networks.

Apache Log4j vulnerabilities disclosed in December 2021, including the one tracked as Log4Shell, can allow attackers to remotely execute arbitrary code and take control of vulnerable systems.

In response to these flaws, AWS released multiple hot patches – each suitable for a different environment, including servers, Kubernetes, Elastic Container Service (ECS) and Fargate – that would keep track of vulnerable applications and containers and patch them on the fly.

Researchers from Palo Alto Networks’ Unit42 discovered that, once the hot patch had been installed, any container on the server or cluster could exploit it to take over the underlying host. Furthermore, unprivileged processes could exploit the hot patches to elevate privileges and execute code as root.

Starting December 2021, AWS released three hot patching solutions: one bundled in an RPM or Debian package, a hot patch Daemonset for Kubernetes clusters, and one bundled as a set of OCI hooks and meant for Bottlerocket hosts (called Hotdog).

“After any one of the patches is installed to a host or cluster, new containers can exploit the patch to escape and compromise their underlying host. On hosts that installed either the hot patch service or the hot patch Daemonset, existing containers can escape as well,” Unit42 says.

To patch JavaScript processes on the fly, the solutions invoke certain container binaries, and the researchers discovered that they did so without proper containerization, meaning that the limitations that typically apply to container processes would not apply to the new processes as well.

Advertisement. Scroll to continue reading.

[ READ: Fewer-Than-Expected Log4j Attacks, but Mirai Joins the Fray ]

“A malicious container therefore could have included a malicious binary named ‘java’ to trick the installed hot patch solution into invoking it with elevated privileges. The malicious ‘java’ process could then abuse its elevated privileges to escape the container and take over the underlying host,” the researchers explain.

The hot patch solutions treated unprivileged processes in a similar manner, meaning that a malicious unprivileged process could create a binary named “java” and abuse the hot patch service to elevate its privileges.

“The issues are exploitable regardless of the container configuration, so even environments that enable advanced isolation techniques like running containers in user namespaces or as a non-root user are affected,” Unit42 notes.

The security researchers also warn that, because hot patches might have been deployed at scale in the wake of Log4Shell, numerous container environments might have been exposed to security risks, and some may continue to be impacted, given that users might have kept the hot patch running even after other fixes were rolled out.

A total of four issues were identified, tracked as CVE-2021-3100, CVE-2021-3101, CVE-2022-0070 and CVE-2022-0071. Fixes that AWS issued on April 19 eliminate the container escape and privilege escalation possibilities.

Users are encouraged to apply the fixed hot patch solutions as soon as possible, especially in multitenant container environments and clusters that run untrusted images.

Related: CISA Unaware of Any Significant Log4j Breaches in U.S.

Related: Log4Shell-Like Vulnerability Found in Popular H2 Database

Related: SAP Patches Log4Shell Vulnerability in More Applications

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.