Monday, December 20, 2021

AWS Log4j Vulnerability


We know Log4j security vulnerability hits the world recently and everyone is reacting to resolve immediately.  AWS is not an exception and their fixes are listed below.

More information about the Java hot patch is available at https://aws.amazon.com/blogs/security/open-source-hotpatch-for-apache-log4j-vulnerability/

Amazon Connect
Amazon Connect has been updated to mitigate the issues identified in CVE-2021-44228. 

Amazon Chime
Amazon Chime SDK services have been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046.

Amazon EMR
CVE-2021-44228 impacts Apache Log4j versions between 2.0 and 2.14.1 when processing inputs from untrusted sources. EMR clusters launched with EMR 5 and EMR 6 releases include open source frameworks such as Apache Hive, Apache Flink, HUDI, Presto, and Trino, which use these versions of Apache Log4j. When you launch a cluster with EMR’s default configuration, it does not process inputs from untrusted sources. Many customers use the open source frameworks installed on their EMR clusters to process and log inputs from untrusted sources. Therefore, AWS recommends that you apply the solution described here.

Amazon Fraud Detector
Amazon Fraud Detector services have been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Kendra
Amazon Kendra has been updated to mitigate CVE-2021-44228.

Amazon Lex
Amazon Lex has been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Macie
The Amazon Macie service has been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Macie Classic
The Amazon Macie Classic service has been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Monitron
Amazon Monitron has been updated to mitigate the issues identified in CVE-2021-44228.

Amazon RDS
Amazon RDS and Amazon Aurora have been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Rekognition
Amazon Rekognition services have been updated to mitigate the issues identified in CVE-2021-44228.

Amazon VPC
Amazon VPC, including Internet Gateway and Virtual Gateway services, have been updated to mitigate the Log4j issue referenced in CVE-2021-44228.

AWS AppSync
AWS AppSync has been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046.

AWS Certificate Manager
AWS Certificate Manager services have been updated to mitigate the issues identified in CVE-2021-44228.

AWS Service Catalog
AWS Service Catalog has been updated to mitigate the issues identified in CVE-2021-44228.

AWS Systems Manager
AWS Systems Manager service has been updated to mitigate the issues identified in CVE-2021-44228. The Systems Manager agent itself is not affected by this issue.



3 comments: