Reply to post: understatement

AWS's Log4j patches blew holes in its own security

yetanotheraoc Silver badge


Amazon can't be trusted with the big gun. But Amazon is going to have to get out the same big gun to fix this one.

Big problem one is not running a "malicious binary named java", it's running the bog-standard binary named java with root privileges on the _host_ server.

Big problem two is asking all their customers to patch their containers is not sufficient, because it's the ones who **don't want** to patch their containers that they should be worried about.

So it's fine if customers patch, but isn't Amazon going to have to do the same nasty root cleanup in reverse on all the customers who didn't patch?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon