Hot Log4jShell Fix from AWS Needs a Fix on Kubernetes Clusters

Amazon Web Services (AWS) this week, after being alerted by Unit 42 security researchers at Palo Alto Networks, made available an update to a hot fix for the Log4jShell vulnerability found in Java applications created by the cloud service providers that inadvertently made it possible for every container in a Kubernetes cluster to take over the underlying host.

Ariel Zelivansky, director of security research at Unit 42, said it’s not likely that cybercriminals have exploited this vulnerability given the subtlety of the flaw and the level of expertise required to compromise it, but if the original hot fix is not removed from a Kubernetes cluster, a security risk remains. In addition to taking over the underlying host, unprivileged processes can also exploit the patch to escalate privileges along with gaining root code execution. Some IT teams might have applied the latest version of the hot fix from AWS without remembering to remove the original, he noted.

Containers can escape regardless of whether they run Java applications, or whether the host runs Bottlerocket, a hardened Linux distribution for containers from AWS.

AWS created its hot fix for the Log4jShell vulnerability and then made it freely available to any organization running Log4j log management software on any platform. The vulnerability discovered by Unit 42 researchers only affects the version of that hot fix that was made available as a container. The flaw in the fix is not as egregious as the original Log4jShell flaw, and Unit 42 researchers have assigned CVE-2021-3100, CVE-2021-3101, CVE-2022-0070 and CVE-2022-0071 to track the vulnerabilities. Containers running with user namespaces or as a non-root user are affected as well.

The vulnerability discovered by Unit 42 researchers is yet another example of why organizations need to adopt modern IT incident management practices based on DevSecOps principles. Each time there is a zero-day vulnerability of that magnitude of Log4jShell there is always going to be a rush to implement a hot fix before cybercriminals can find and exploit a vulnerability. Each of those fixes, however, has been developed in a rush, so it’s likely they may not have been vetted as well as a patch that has been under development for months. Each fix needs to be reviewed for any potential security flaw, because there was simply not enough time for security experts to test the hot fix before it was applied.

The challenge, of course, is that in the absence of a software build of material (SBOM) many IT teams are unsure of what software modules are running precisely where in distributed IT environments, an issue that is further compounded when containers encapsulating those modules are continuously ripped and replaced.

While most IT teams have some form of an IT incident management capability, most are not designed to deal with zero-day vulnerabilities that, unfortunately, are becoming increasingly more common. IT teams can find themselves spending weeks looking for all the instances of a software package that might have been impacted by a vulnerability that was disclosed with no advance warning. A modern approach to incident management defines a set of best practices that ultimately makes it less stressful to respond to the disclosure of a zero-day vulnerability.

Mike Vizard

Mike Vizard is a veteran IT journalist with more than 25 years of experience covering the technology industry, having previously served as Editor-in-Chief of both CRN and InfoWorld and as editorial director for Ziff-Davis Enterprise, where he oversaw titles including eWEEK, CIO Insight and Baseline. Over his career he has also edited or contributed to a wide range of enterprise technology publications, including IT Business Edge, Channel Insider, ComputerWorld, TMCNet and Digital Review, and he later led editorial for CTOEdge.com. His reporting and analysis span software development, cloud computing, cybersecurity, IT channel strategy and, more recently, artificial intelligence and DevOps practices. A recognized voice in enterprise IT journalism, Vizard is known for tracking emerging technology trends as they move from early adoption into mainstream enterprise use. He now serves as Chief Content Officer for Techstrong Group, where he oversees editorial strategy across the full network — DevOps.com, Security Boulevard, Cloud Native Now, Digital CxO, Techstrong.ai, TechStrong.IT, Techstrong Semi and PlatformEngineering.com — in addition to writing and hosting content for Techstrong TV and the Techstrong Gang podcast.

    Mike Vizard has 1813 posts and counting. See all posts by Mike Vizard