Log4j Flaw

The "hotpatch" released by Amazon Web Services (AWS) in response to the Log4Shell vulnerabilities could be leveraged for container escape and privilege escalation, allowing an attacker to seize control of the underlying host.

"Aside from containers, unprivileged processes can also exploit the patch to escalate privileges and gain root code execution," Palo Alto Networks Unit 42 researcher Yuval Avrahami said in a report published this week.


The issues — CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, and CVE-2022-0071 (CVSS scores: 8.8) — affect the hotfix solutions shipped by AWS, and stem from the fact that they are designed to search for Java processes and patch them against the Log4j flaw on the fly but without ensuring that the new Java processes are run within the restrictions imposed on the container.

"Any process running a binary named 'java' – inside or outside of a container – is considered a candidate for the hot patch," Avrahami elaborated. "A malicious container therefore could have included a malicious binary named 'java' to trick the installed hot patch solution into invoking it with elevated privileges."

In the subsequent step, the elevated privileges could be weaponized by the malicious 'java' process to escape the container and gain full control over the compromised server.


A rogue unprivileged process, in a similar manner, could have created and executed a malicious binary named "java" to trick the hotpatch service into running it with elevated privileges.

Users are recommended to upgrade to the fixed hotpatch version as soon as possible to prevent potential exploitation, but only after prioritizing patching against the actively exploited Log4Shell flaws.

"Containers are often used as a security boundary between applications running on the same machine," Avrahami said. "A container escape allows an attacker to extend a campaign beyond a single application and compromise neighboring services."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.