Amazon Linux server can be hacked easily. Critical Privilege Escalation vulnerability in Log4j Hotpatch released to fix Log4j vulnerabilities

Amazon Linux team is advising its clients about a critical vulnerability affecting Linux servers.  Amazon Linux 2 is a Linux operating system from Amazon Web Services (AWS). It offers a security-focused, stable, and high-performance OS to develop and run cloud applications.

In 2021, critical vulnerabilities in the Java log4j package were published that affected Apache Log4j2, a Java-based logging tool but the most impactful of these was CVE-2021-44228, also known as log4shell.

To fix the above vulnerabilities, Amazon released a Hotpatch for Apache Log4j. Amazon announced the hotpatch called “Amazon Linux package called log4j-cve-2021-44228-hotpatch”

In April 2022, Yuval Avrahami reported that this hotpatch was vulnerable to various impacts including local privilege escalation and container breakout. The bypass of the Hotpatch found by Justin is due to the fact that the path to the “Java” process’ binary is read before its EUID/EGID is extracted. This means that the patching process might take the path to the attacker-controlled binary and then read a higher privilege EUID/EGID in the event of a successful attack.

The advisory states that 

Versions of the Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.3-5 are affected by a race condition that could lead to a local privilege escalation.

The Apache Log4j Hotpatch is not a substitute for updating to a log4j version that mitigates CVE-2021-44228 or CVE-2021-45046, it provides a temporary mitigation to CVE-2021-44228 by hotpatching local Java virtual machines. To do so, the hotpatch script recurse through all running Java processes, performs several checks, and executes the Java virtual machine with the same permissions and capabilities as the running process to load the hotpatch.

A local user could cause the hotpatch script to execute a binary with elevated privileges by running a custom “java” process which performs exec() of a set user ID binary after the hotpatch has observed the process path and before it has observed its effective user ID.

To leverage this issue a user must already have local access to the target system with permissions to run custom programs.

As of now no CVE has been issued for the issue but the solution has been released by Amazon.  The Amazon team released log4j-cve-2021-44228-hotpatch-1.3-5 which includes the fix. It includes defensive controls to the container-based hotpatch  to try to prevent any  race condition vulnerabilities  in the application. Amazon clients  should update to log4j-cve-2021-44228-hotpatch-1.3-5.