AWS-2022-006

Initial Publication Date: 2022/04/19 14:30 PST CVE IDs: CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, CVE-2022-0071 On December 12, 2021, Amazon publicly released a hotpatch for running Java VMs which disables the loading of the Java Naming and Directory Interface (JNDI) class. This hotpatch provides an immediate mitigation for critical issues within the open-source Apache “Log4j2" utility (CVE-2021-44228 and CVE-2021-45046) while allowing system administrators sufficient time to fully patch impacted environments. Security researchers recently reported issues within this hotpatch, and the associated OCI hooks for Bottlerocket (“Hotdog”). We have addressed these issues within a new version of the hotpatch, and a new version of Hotdog. We recommend that customers who run Java applications in containers, and use either the hotpatch or Hotdog, update to the latest versions of the software immediately. The latest package names and versions of the hotpatch for Amazon Linux and Amazon Linux 2 are as follows: Amazon Linux: log4j-cve-2021-44228-hotpatch-1.1-16.amzn1 Amazon Linux 2: log4j-cve-2021-44228-hotpatch-1.1-16.amzn2 Customers using the hotpatch for Apache Log4j on Amazon Linux …