Amazon Web Services’ hotpatch in response to Log4Shell vulnerabilities could be used to gain access to sensitive systems

The Amazon Web Services (AWS) “hotpatch” released in response to the Log4Shell vulnerabilities could be used for container escape and privilege escalation, allowing an attacker to take control of the underlying host.

“Aside from containers, unprivileged processes can also exploit the patch to escalate privileges and gain root code execution,” said Yuval Avrahami of Palo Alto Networks Unit 42 in a report published this week.

The flaws — CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, and CVE-2022-0071 (CVSS scores: 8.8) — affect AWS hotfix solutions because they are designed to search for Java processes and patch them against the Log4j flaw on the fly, but without ensuring that the new Java processes run within the container’s restrictions.

“Any process that runs a binary named ‘java’ – inside or outside of a container – is considered a candidate for the hot patch,” Avrahami explained. “A malicious container could thus have included a malicious binary named ‘java’ in order to trick the installed hot patch solution into invoking it with elevated privileges.”

In the following step, the malicious ‘java’ process could use the elevated privileges to escape the container and gain complete control over the compromised server.

In a similar manner, a rogue unprivileged process could have created and executed a malicious binary named “java” to trick the hotpatch service into running it with elevated privileges.

Users should upgrade to the fixed hot patch version as soon as possible to avoid potential exploitation, but only after prioritising patching against actively exploited Log4Shell flaws.

“Containers are frequently used as a security boundary between applications running on the same machine,” explained Avrahami. “With a container escape, an attacker can expand a campaign beyond a single application and compromise neighbouring services.”