When AWS fixed Log4Shell, it created new vulnerabilities

Within days of the discovery of the Log4Shell vulnerability last December, AWS shipped hotpatches for the bug – and in doing so, created a new set of serious security holes.

This week, researchers from Palo Alto Networks Unit 42 described the now-patched hotpatch bugs, which allowed both container escape, and escalation of unprivileged processes.

In either case, exploitation results in code execution with root privilege.

As Unit 42’s disclosure explained: “After installing the patch service to a server or cluster, every container in that environment can exploit it to take over its underlying host.

“For example, if you installed the hot patch to a Kubernetes cluster, every container in your cluster can now escape until you either disable the hot patch or upgrade to the fixed version. Aside from containers, unprivileged processes can also exploit the patch to escalate privileges and gain root code execution.

“Containers can escape regardless of whether they run Java applications, or whether their underlying host runs Bottlerocket, AWS's hardened Linux distribution for containers”, the advisory said.

The new bugs are tracked as CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, and CVE-2022-0071.

How the error happened is relatively simple, Unit 42 explained, a process would retrieve a Java binary and inject the hotpatch, but “that they invoked container binaries without properly containerising them. That is, the new processes would run without the limitations normally applied to container processes.”

The fix also ran as root, regardless of the container’s user, “and without the isolation technologies that would normally confine containers”. 

If an attacker included a malicious binary called “java”, it would be invoked by the hotpatch with elevated binaries, and take over the underlying host.

Amazon’s notice acknowledging the error and providing patch instructions is here.