Java
Write Once, Exploit Everywhere
Amazon Web Services has updated its Log4j security patches after it was discovered the original fixes made customer deployments vulnerable to container escape and privilege escalation. The vulnerabilities introduced by Amazon's Log4j hotpatch – CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, CVE-2022-0071 – are all high-severity …
Amazon can't be trusted with the big gun. But Amazon is going to have to get out the same big gun to fix this one.
Big problem one is not running a "malicious binary named java", it's running the bog-standard binary named java with root privileges on the _host_ server.
Big problem two is asking all their customers to patch their containers is not sufficient, because it's the ones who **don't want** to patch their containers that they should be worried about.
So it's fine if customers patch, but isn't Amazon going to have to do the same nasty root cleanup in reverse on all the customers who didn't patch?