back to article AWS's Log4j patches blew holes in its own security

Amazon Web Services has updated its Log4j security patches after it was discovered the original fixes made customer deployments vulnerable to container escape and privilege escalation. The vulnerabilities introduced by Amazon's Log4j hotpatch – CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, CVE-2022-0071 – are all high-severity …

  1. cyberdemon Silver badge
    Pirate

    Java

    Write Once, Exploit Everywhere

    1. Gene Cash Silver badge

      Re: Java

      Yeah, except it's usually "Write once, Crash everywhere"

    2. sreynolds

      Re: Java

      Time we all reflected on why we decided to use Java, #@,NET and Javascript.

  2. Anonymous Coward
    Anonymous Coward

    All that money that could be used to hire competent staff, and Amazon still has to let someone else find their own screwups. Guess that is what happens when you leech software instead of contributing.

    1. ElRegioLPL

      Let's not pretend the white hat didn't get paid well for this

    2. Version 1.0 Silver badge

      Just an update, which always makes me remember this quote ... "You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time." - Bertrand Meyer

    3. Cliffwilliams44 Silver badge

      This is AWS supporting what their customers want to do, "Running JAVA apps in a container". Yeah, they got the fix a bit wrong. The real advice should have been "Stop running JAVA apps in a container!" Unfortunately that isn't something AWS can actually do!

      Just say NO to JAVA!

  3. An_Old_Dog Silver badge
    Unhappy

    Quality Control

    (Management pressure) + (lack-of-good-programmers-applied-to-the-problem) == patches so fresh, they're still steamin'.

  4. Coastal cutie

    Whack-a-mole time...…..

  5. yetanotheraoc Silver badge

    understatement

    Amazon can't be trusted with the big gun. But Amazon is going to have to get out the same big gun to fix this one.

    Big problem one is not running a "malicious binary named java", it's running the bog-standard binary named java with root privileges on the _host_ server.

    Big problem two is asking all their customers to patch their containers is not sufficient, because it's the ones who **don't want** to patch their containers that they should be worried about.

    So it's fine if customers patch, but isn't Amazon going to have to do the same nasty root cleanup in reverse on all the customers who didn't patch?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like