CVE-2022-0070
Public on 2022-04-18
Modified on 2022-04-18
Description
The Apache Log4j hotpatch package starting with log4j-cve-2021-44228-hotpatch-1.1-16 will now explicitly mimic the Linux capabilities and cgroups of the target Java process that the hotpatch is applied to.
In order to mimic the Linux capabilities of the target process, HAQM Linux 1 customers need to be running kernel version 4.14.275-142.503 or later, while HAQM Linux 2 customers on ARM need to be running kernel versions 4.14.275-207.503, 5.4.188-104.359, 5.10.109-104.500 or later. HAQM Linux 2 customers on Intel or AMD instances do not need an updated kernel.
In order to mimic the Linux capabilities of the target process, HAQM Linux 1 customers need to be running kernel version 4.14.275-142.503 or later, while HAQM Linux 2 customers on ARM need to be running kernel versions 4.14.275-207.503, 5.4.188-104.359, 5.10.109-104.500 or later. HAQM Linux 2 customers on Intel or AMD instances do not need an updated kernel.
Severity
Important
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| HAQM Linux 1 | log4j-cve-2021-44228-hotpatch | 2022-04-18 | ALAS-2022-1580 | Fixed |
| HAQM Linux 2 - Core | log4j-cve-2021-44228-hotpatch | 2022-04-18 | ALAS2-2022-1773 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| HAQM Linux | CVSSv3 | 8.8 | AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| NVD | CVSSv2 | 7.2 | AV:L/AC:L/Au:N/C:C/I:C/A:C |
| NVD | CVSSv3 | 8.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |