Amazon Web Services (AWS) announced that it has fixed a critical Log4Shell vulnerability (CVE-2021-44228) that affects cloud or on-premise environments running Java applications using vulnerable versions of the Log4j logging library or containers ) that addresses four security vulnerabilities, the company announced.
Amazon provided a hotpatch package that could control hosts through containers in the environment, rather than exclusively for AWS resources.
The vulnerability also allowed an unprivileged process to be exploited to elevate privileges and execute code with root privileges.
These vulnerabilities are currently being tracked as CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, and CVE-2022-0071.
Both are rated as high severity risks, with a score of 8.8 out of 10.
Hot Patch Trouble
Unit 42 of Palo Alto Networks discovered that Amazon’s Log4Shell hotfix keeps searching for Java processes and applies patches on the fly without ensuring that the patched process runs under the limitations of the container. We discovered that this was not the case.
“This allowed the malicious container, containing a malicious binary named “java”, to trick the installed hotpatch solution into calling it with elevated privileges,” the researchers explained.
It adds, “A malicious “java” process can exploit its elevated privileges to escape from the container and take over the underlying host.
Containers run Bottlerocket, AWS’ Linux distribution for containers, whether or not they run Java applications or their underlying host escapes, regardless of whether or not they are User namespaces and containers running as a non-root user are also affected – Palo Alto Networks
Another issue created by Amazon’s patch is that host processes are treated similarly and all processes gain elevated privileges during the Log4Shell modification process.
Potentially, a malicious actor could plant a binary of an unprivileged process named “java” and trick the modification service into running with elevated privileges.
The Unit 42 team also released the following proof-of-concept (PoC) exploit video to demonstrate the container escape scenario,