- Amazon Web Services is scrambling to assist customers after security researchers at Palo Alto Networks found severe vulnerabilities in AWS hotpatches that were supposed to protect customers from the Log4Shell vulnerability.
- AWS released a software tool in mid-December designed to patch vulnerabilities found in the Log4j library, however security researchers at Palo Alto's Unit 42 discovered code vulnerabilities that could let attackers break out of a container environment and gain escalated privileges.
- After working with Palo Alto researchers for months, Amazon released a new hotpatch earlier this week, Unit 42 said in research released Tuesday. Unit 42 researcher Yuval Avrahami is urging organizations to review their container environments and upgrade to the fixed version. A large number of users may have downloaded the original hotpatches.
After the Log4j vulnerability was disclosed in early December, numerous vendors released patches to protect customers against potentially catastrophic cyber intrusions.
The vulnerability was considered critical and allowed even an unsophisticated threat actor to gain access to a system by typing in just a few lines of code, without attempting authentication.
Amazon released hotpatches designed to monitor for vulnerable Java applications and containers, according to Unit 42 researchers. The patches were each designed for different environments, including standalone servers, Kubernetes Clusters, Elastic Container Service clusters and Fargate.
Researchers said the hotpatches were not just designed for AWS environments but were designed to work in different cloud and on-premises environments.
A spokesperson for AWS said the company would not comment beyond the release of the security bulletin.
Unit 42 researchers found the vulnerabilities soon after AWS released the tools and immediately contacted AWS, working closely with them to issue the remediated patches, according to Avrahami. Unit 42 has no knowledge of active exploitation, but what it discovered is an example of what can happen when security is not properly monitored.
"This highlights the need for security engineers and researchers to continually look for vulnerabilities in container environments," Avrahami said via email. "Container isolation is difficult, and there are always risks involved when developing solutions that interact with customers."
"This balanced the looming threat with the inherent risks of a quickly built hot patch," Mark Nunnikhoven, distinguished cloud strategist at Lacework, said via email. "Those risks are exactly what the researchers found, more vulnerabilities."
Four months have passed since the Log4j project published the permanent patch, Nunnikhoven said. Therefore, AWS should have withdrawn the temporary fix as the patch and other mitigation measures were underway.
"Any time there's a looming threat, security teams need to balance the risks of each mitigation they deploy," Nunnikhoven said. "In this case, the new research highlights the need for a strong follow-up process after an incident response."