![]() You can build a layered control approach, and/or pick and choose the controls identified below to help limit your exposure. You can use multiple AWS services to help limit your risk/exposure from the log4j vulnerability. See this security advisory for more details. We recommend that customers who run Java applications in containers, and use either the hotpatch or Hotdog, update to the latest versions of the software immediately. We have addressed these issues within a new version of the hotpatch, and a new version of Hotdog. Steve Schmidt, Chief Information Security Officer for AWS, also discussed this hotpatch Security researchers recently reported issues within this hotpatch, and the associated OCI hooks for Bottlerocket (“Hotdog”). Source: GovCERT.ch, the Computer Emergency Response Team (GovCERT) of the Swiss governmentĪs an immediate response, follow this blog and use the tool designed to hotpatch a running JVM using any log4j 2.0+. The vulnerability uses the Java Naming and Directory Interface (JNDI) which is used by a Java program to find data, typically through a directory, commonly a LDAP directory in the case of this vulnerability.įigure 1, below, highlights the log4j JNDI attack flow.įigure 1. Version 2 of log4j, between versions 2.0-beta-9 and 2.15.0, is affected. This vulnerability allows an attacker to perform a remote code execution on the vulnerable platform. The log4j vulnerability (CVE-2021-44228, CVE-2021-45046) is a critical vulnerability ( CVSS 3.1 base score of 10.0) in the ubiquitous logging platform Apache Log4j. This covers what you can do to limit the risk of the vulnerability, how you can try to identify if you are susceptible to the issue, and then what you can do to update your infrastructure with the appropriate patches. ![]() In this post we will provide guidance to help customers who are responding to the recently disclosed log4j vulnerability. April 21, 2022: The blog post has been updated to include information on the updated version of the hotpatch.
0 Comments
Leave a Reply. |