AWS-2021-005
Initial Publication Date: 2021/12/10 7:20 PM PDT All updates to this issue have moved here . AWS is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). We are actively monitoring this issue, and are working on addressing it for any AWS services which either use Log4j2 or provide it to customers as part of their service. We strongly encourage customers who manage environments containing Log4j2 to update to the latest version, available at: https://logging.apache.org/log4j/2.x/download.html or their operating system’s software update mechanism. Additional service-specific information is below. If you need additional details or assistance, please contact AWS Support. Amazon EC2 The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228. More information about security-related software updates for Amazon Linux is available at: https://alas.aws.amazon.com . AWS WAF / Shield To improve detection and mitigation of risks arising from the recent Log4j security issue, we have updated the AWSManagedRulesKnownBadInputsRuleSet AMR in the AWS WAF service. Customers o…
Timeline
- Dec 10, 2021 PoC Published
- Dec 11, 2021 CVE Published
- Feb 13, 2025 PoC Published
References
- Apache Log4j2 Issue (CVE-2021-44228) advisory
- https://logging.apache.org/log4j/2.x/download.html web
- https://alas.aws.amazon.com/ web
- https://docs.aws.amazon.com/waf/latest/developerguide/getting-started.html web
- https://docs.aws.amazon.com/waf/latest/developerguide/waf-using-managed-rule-groups.html web
- https://repo1.maven.org/maven2/com/amazonaws/aws-lambda-java-log4j2/ web
- https://docs.aws.amazon.com/cloudhsm/latest/userguide/java-library-install.html web