Read our latest security bulletins here.
  1. Reported AWS CloudFormation Issue

    Initial Publication Date: 2022/01/13 13:00 PST

    Security researchers recently identified and reported an issue in AWS CloudFormation. Specifically, the reported issue was in the AWS CloudFormation service itself, which allowed viewing of some local configuration files on an AWS-internal host or attempted unauthenticated HTTP GET requests from the same host. The researchers utilized the HTTP GET capability to obtain a set of locally accessible credentials specific to the host. Neither the local configuration file access nor the host-specific credentials permitted access to any customer data or resources.

    AWS took immediate action to correct this issue when it was reported and verified that the technique described by the researchers could not be used to access customer data or resources. Extensive log analysis has verified the researchers activity was limited to the specific AWS CloudFormation host. AWS customers were not impacted by this reported concern, and there are no customer actions required.

    We would like to thank Orca Security for reporting this issue.

    Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.

  2. Reported AWS Glue Issue

    Initial Publication Date: 2022/01/13 13:00 PST

    A security researcher recently reported an issue that allowed them to take actions as the AWS Glue service. Utilizing an AWS Glue feature, researchers obtained credentials specific to the service itself, and an AWS-internal misconfiguration permitted the researchers to use these credentials as the AWS Glue service. There is no way that this could have been used to affect customers who do not use the AWS Glue service.

    No customer action is required.

    AWS moved immediately to correct this issue when it was reported. Analysis of logs going back to the launch of the service have been conducted and we have conclusively determined that the only activity associated with this issue was between accounts owned by the researcher.  No other customer’s accounts were impacted. All actions taken by AWS Glue in a customer’s account are logged in CloudTrail records controlled and viewable by customers.

    We would like to thank Orca Security for reporting this issue.

    Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.

  3. AWSSupportServiceRolePolicy Informational Update

    Between December 21, 2021 at 23:48 UTC and December 22, 2021 at 08:23 UTC, the policy used by AWS Support automated systems - AWSSupportServiceRolePolicy - inadvertently included S3:GetObject permissions. This change has been reverted. While these permissions were temporarily present, they were not and could not be used - only a tightly controlled set of AWS support systems may assume the AWSSupportService role, and these systems do not provide the capability to access S3 objects even if permission is granted to the role. Regardless, we are implementing additional safeguards to prevent the Support policy from inadvertently granting data access permissions. All changes to AWS Managed Policies are publicly visible and all access to S3 objects are recorded in S3 server access logs and CloudTrail data events.
  4. Update for Apache Log4j2 Issue (CVE-2021-44228)

    [V6] Last Updated Date: 2021/12/17 1:50 PM PST

    AWS is aware of the recently disclosed issues relating to the open-source Apache “Log4j2" utility (CVE-2021-44228 and CVE-2021-45046).

    Responding to security issues such as this one shows the value of having multiple layers of defensive technologies, which is so important to maintaining the security of our customers’ data and workloads.

    We've taken this issue very seriously, and our world-class team of engineers has fully deployed the Amazon-developed Java hot patch available here to all AWS services. The hot patch updates the Java VM to disable the loading of the Java Naming and Directory Interface (JNDI) class, replacing it with a harmless notification message, which mitigates CVE-2021-44228 and CVE-2021-45046.  We will shortly complete our deployment of the updated Log4j library to all of our services.  More information about the Java hotpatch is available at https://aws.amazon.com/blogs/security/open-source-hotpatch-for-apache-log4j-vulnerability/.

    Even with this hot patch deployed, customers should still deploy an updated Log4j library as quickly as they safely can, like we’re doing across AWS.

    For more details on how to detect and remediate the Log4j CVEs using AWS services, please read our most recent blog post here.

    No further service-specific updates are required after this final bulletin.

    If you need additional details or assistance, please contact AWS Support.

    Amazon Connect

    Amazon Connect has been updated to mitigate the issues identified in CVE-2021-44228.

    We recommend customers evaluate components of their environment which are outside of the Amazon Connect service boundary (such as Lambda functions that are called from contact flows) which may require separate/additional customer mitigation.

    Amazon Chime

    Amazon Chime SDK services have been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046.

    Amazon Chime services have been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046.

    Amazon EMR

    CVE-2021-44228 impacts Apache Log4j versions between 2.0 and 2.14.1 when processing inputs from untrusted sources. EMR clusters launched with EMR 5 and EMR 6 releases include open source frameworks such as Apache Hive, Apache Flink, HUDI, Presto, and Trino, which use these versions of Apache Log4j. When you launch a cluster with EMR’s default configuration, it does not process inputs from untrusted sources. Many customers use the open source frameworks installed on their EMR clusters to process and log inputs from untrusted sources. Therefore, AWS recommends that you apply the solution described here.

    Amazon Fraud Detector

    Amazon Fraud Detector services have been updated to mitigate the issues identified in CVE-2021-44228.

    Amazon Kendra

    Amazon Kendra has been updated to mitigate CVE-2021-44228.

    Amazon Lex

    Amazon Lex has been updated to mitigate the issues identified in CVE-2021-44228.

    Amazon Lookout for Equipment

    Amazon Lookout for Equipment has been updated to mitigate the issues identified in CVE-2021-44228.

    Amazon Macie

    The Amazon Macie service has been updated to mitigate the issues identified in CVE-2021-44228.

    Amazon Macie Classic

    The Amazon Macie Classic service has been updated to mitigate the issues identified in CVE-2021-44228.

    Amazon Monitron

    Amazon Monitron has been updated to mitigate the issues identified in CVE-2021-44228.

    Amazon RDS

    Amazon RDS and Amazon Aurora have been updated to mitigate the issues identified in CVE-2021-44228.

    Amazon Rekognition

    Amazon Rekognition services have been updated to mitigate the issues identified in CVE-2021-44228.

    Amazon VPC

    Amazon VPC, including Internet Gateway and Virtual Gateway services, have been updated to mitigate the Log4j issue referenced in CVE-2021-44228.

    AWS AppSync

    AWS AppSync has been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046.

    AWS Certificate Manager

    AWS Certificate Manager services have been updated to mitigate the issues identified in CVE-2021-44228.

    ACM Private CA services have been updated to mitigate the issues identified in CVE-2021-44228.

    AWS Service Catalog

    AWS Service Catalog has been updated to mitigate the issues identified in CVE-2021-44228.

    AWS Systems Manager

    AWS Systems Manager service has been updated to mitigate the issues identified in CVE-2021-44228. The Systems Manager agent itself is not affected by this issue.

    [V5] Last Updated Date: 2021/12/16 3:15 PM PST

    AWS is aware of the recently disclosed issues relating to the open-source Apache “Log4j2" utility (CVE-2021-44228 and CVE-2021-45046).

    Responding to security issues such as this one shows the value of having multiple layers of defensive technologies, which is so important to maintaining the security of our customers’ data and workloads. We're taking this issue very seriously, and our world-class team of engineers has been working around the clock on our response and remediation. We expect to rapidly restore our full state of defense in depth.

    One of the technologies we’ve developed and deployed extensively inside AWS is a hot patch for applications that may include Log4j. This hot patch updates the Java VM to disable the loading of the Java Naming and Directory Interface (JNDI) class, replacing it with a harmless notification message, which is an effective mitigation of CVE-2021-44228 and CVE-2021-45046.

    We’ve also made this available as an open-source solution, which is available here.

    Even with this hot patch deployed, customers should still deploy an updated Log4j library as quickly as they safely can.

    For more details on how to detect and remediate the Log4j CVEs using AWS services, please read our most recent blog post here.

    Additional service-specific information is provided below. If you need additional details or assistance, please contact AWS Support.

    Amazon EKS, Amazon ECS, and AWS Fargate

    To help mitigate the impact of the open-source Apache “Log4j2" utility (CVE-2021-44228 and CVE-2021-45046) security issues on customers’ containers, Amazon EKS, Amazon ECS, and AWS Fargate are deploying a Linux-based update (hot-patch). This hot-patch will require customer opt-in to use, and disables JNDI lookups from the Log4J2 library in customers’ containers. These updates are available as an Amazon Linux package for Amazon ECS customers, as a DaemonSet for Kubernetes users on AWS, and will be in supported AWS Fargate platform versions.

    Customers running Java-based applications on Windows containers are advised to follow Microsoft's guidance here.

    Amazon ECR Public and Amazon ECR

    Amazon-owned images published under a Verified Account on Amazon ECR Public are not affected by the issue described in CVE-2021-4422. For customer-owned images on Amazon ECR, AWS offers Enhanced Scanning with Amazon Inspector, which is designed to continually scan container images for known security issues, including container images containing CVE-2021-44228. Findings are reported in the Inspector and ECR consoles. Inspector includes a free 15-day trial with free container image scanning for accounts new to Inspector. For customers consuming images in ECR Public from third party publishers, customers can use the recently launched Pull Through Cache feature of ECR to copy those images from ECR Public into their ECR registry and use Inspector scanning to detect security issues.

    Amazon Cognito

    Amazon Cognito services have been updated to mitigate the issues identified in CVE-2021-44228.

    Amazon Pinpoint

    Amazon Pinpoint services have been updated to mitigate the issues identified in CVE-2021-44228.

    Amazon EventBridge

    Amazon EventBridge has been updated to mitigate the issues identified in CVE-2021-44228.

    Elastic Load Balancing

    Elastic Load Balancing services have been updated to mitigate the issues identified in CVE-2021-44228. All Elastic Load Balancers, as well as Classic, Application, Network and Gateway, are not written in Java and therefore were not affected by this issue.

    AWS CodePipeline


    AWS CodePipeline has been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046.

    AWS CodeBuild

    AWS CodeBuild has been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046.

    Amazon Route53


    Route 53 has been updated to mitigate the issues identified in CVE-2021-44228.

    Amazon Linux


    Amazon Linux 1 (AL1) and Amazon Linux 2 (AL2) by default use a log4j version that is not affected by CVE-2021-44228 or CVE-2021-45046. A new version of the Amazon Kinesis Agent which is part of AL2 addresses CVE-2021-44228 and CVE-2021-45046. Additionally, to help customers that bring in their own log4j code, Amazon Linux has released a new package that includes the Hotpatch for Apache log4j. More details can be found here.

    Amazon SageMaker

    Amazon SageMaker completed patching for the Apache Log4j2 issue (CVE-2021-44228) on December 15, 2021.

    We continue to recommend that our customers take action to update all their applications and services by patching for known issues like this one. Customers who are recommended to take action on this issue received detailed instructions via PHD. Even if you are not affected by the Log4j issue, we recommend that you restart your job or update your app to use the latest version of our software.

    Amazon Athena

    Amazon Athena has been updated to mitigate the issues identified in CVE-2021-44228. All versions of the Amazon Athena JDBC driver vended to customers were not affected by this issue.

    AWS Certificate Manager

    AWS Certificate Manager services have been updated to mitigate the issues identified in CVE-2021-44228.

    ACM Private CA services have been updated to mitigate the issues identified in CVE-2021-44228.

    Amazon AppFlow

    Amazon AppFlow has been updated to mitigate the issues identified in CVE-2021-44228.

    Amazon Polly

    Amazon Polly has been updated to mitigate the issues identified in CVE-2021-44228.

    Amazon QuickSight

    Amazon QuickSight has been updated to mitigate the issues identified in CVE-2021-44228.

    AWS Textract

    AWS Textract services have been updated to mitigate the issues identified in CVE-2021-44228.

    Amazon Corretto

    The latest Amazon Corretto released October 19th is not affected by CVE-2021-44228 since the Corretto distribution does not include Log4j. We recommend that customers update to the latest version of Log4j in all of their applications that use it, including direct dependencies, indirect dependencies, and shaded jars.
     

    [V4] Last Updated Date: 2021/12/15 3:30 PM PST

    AWS is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228).

    Responding to security issues such as this one shows the value of having multiple layers of defensive technologies, which is so important to maintaining the security of our customers’ data and workloads. We're taking this issue very seriously, and our world-class team of engineers has been working around the clock on our response and remediation. We expect to rapidly restore our full state of defense in depth.

    One of the technologies we’ve developed and deployed is a hot patch for applications that may include Log4j. We’ve also made this available as an open-source solution, which is available here.

    Even with this hot patch deployed, customers should still plan on deploying an updated Log4j library as quickly as they safely can.

    Additional service-specific information is provided below. If you need additional details or assistance, please contact AWS Support.

    Amazon Kinesis

    A new version of the Kinesis Agent, which addresses the recently disclosed Apache Log4j2 library issue (CVE-2021-44228), is available here.

    Amazon Inspector

    The Amazon Inspector service is patched against the Log4j issue.

    The Inspector service helps detect CVE-2021-44228 (Log4Shell) issues within customer EC2 workloads and ECR images. Detections are currently available for impacted operating system level packages on Linux. These include, but are not limited to, apache-log4j2 and liblog4j2-java for Debian; log4j, log4jmanual and log4j12 for SUSE; and Elasticsearch for Alpine, Centos, Debian, Red Hat, SUSE and Ubuntu. Additional detections will be added as further impacts are identified by respective distribution security teams. Inspector decomposes Java archives stored within ECR images and generates findings for impacted packages or applications. These findings will be identified in the Inspector console under “CVE-2021-44228” or “IN1-JAVA-ORGAPACHELOGGINGLOG4J-2314720 - org.apache.logging.log4j:log4j-core”.

    Amazon Inspector Classic

    The Amazon Inspector service is patched against the Log4j issue.

    The Inspector Classic service helps detect CVE-2021-44228 (Log4Shell) issues within customer EC2 workloads. Detections for CVE-2021-44228 (Log4Shell) are currently available for impacted operating system level packages on Linux. These include, but are not limited to, apache-log4j2 and liblog4j2-java for Debian; log4j, log4jmanual and log4j12 for SUSE; and Elasticsearch for Alpine, Centos, Debian, Red Hat, SUSE and Ubuntu.

    Amazon WorkSpaces/AppStream 2.0

    Amazon WorkSpaces and AppStream 2.0 are not affected by CVE-2021-44228 with default configurations. The default Amazon Linux 2 images of WorkSpaces and AppStream do not contain Log4j, and the versions of Log4j available in the Amazon Linux 2 default package repositories are not affected by CVE-2021-44228. However, if you have deployed the WorkDocs Sync client to Windows WorkSpaces, please take the actions recommended below.

    Windows WorkSpaces by default do not have WorkDocs Sync installed. However, WorkSpaces used to have a default desktop shortcut to the WorkDocs Sync client installer before June 2021. The WorkDocs Sync client version 1.2.895.1 (and older) contains the Log4j component. If you have deployed the old WorkDocs Sync client versions to WorkSpaces, please restart the Sync client on WorkSpaces via management tools like SCCM, or instruct your WorkSpaces users to manually open the Sync client - “Amazon WorkDocs” from the list of installed programs. At launch, the Sync client would auto-update to the latest version 1.2.905.1 that is not affected by CVE-2021-44228. Workdocs Drive and Workdocs Companion applications are not affected by the issue.

    Amazon Timestream

    Amazon Timestream has been updated to mitigate the issues identified in CVE-2021-44228.

    Amazon DocumentDB

    As of December 13, 2021, Amazon DocumentDB has been patched to mitigate the Log4j issue referenced in CVE-2021-44228.

    Amazon CloudWatch

    Amazon CloudWatch services have been updated to mitigate the issues identified in CVE-2021-44228.

    AWS Secrets Manager

    AWS Secrets Manager has been updated to mitigate the issues identified in CVE-2021-44228.

    Amazon Single Sign-On

    Amazon Single Sign-On services have been updated to mitigate the issues identified in CVE-2021-44228.

    Amazon RDS Oracle

    Amazon RDS Oracle has updated the version of Log4j2 in use within the service. Access to RDS instances continues to be restricted by your VPCs and other security controls such as security groups and network access control lists (ACL). We strongly encourage you to review these settings to ensure proper access management to your RDS instances.

    Per Oracle Support document 2827611.1, the Oracle database itself is not affected by this issue.

    Amazon Cloud Directory

    Amazon Cloud Directory has been updated to mitigate the issues identified in CVE-2021-44228.

    Amazon Simple Queue Service (SQS)

    Amazon Simple Queue Service (SQS) completed patching for the Apache Log4j2 issue (CVE-2021-44228) for SQS’s data ingress and egress on December 13, 2021. We have also completed patching all other SQS systems that used Log4j2.

    AWS KMS

    AWS KMS has been updated to mitigate the issues identified in CVE-2021-44228.

    Amazon Redshift

    Amazon Redshift clusters have been automatically updated to mitigate the issues identified in CVE-2021-44228.

    AWS Lambda

    AWS Lambda does not include Log4j2 in its managed runtimes or base container images. These are therefore not affected by the issue described in CVE-2021-44228 and CVE-2021-45046.

    For cases where a customer function includes an impacted Log4j2 version, we have applied a change to the Lambda Java managed runtimes and base container images (Java 8, Java 8 on AL2, and Java 11) that helps to mitigate the issues in CVE-2021-44228 and CVE-2021-45046. Customers using managed runtimes will have the change applied automatically. Customers using container images will need to rebuild from the latest base container image, and redeploy.

    Independent of this change, we strongly encourage all customers whose functions include Log4j2 to update to the latest version. Specifically, customers using the aws-lambda-java-log4j2 library in their functions should update to version 1.4.0 and redeploy their functions. This version updates the underlying Log4j2 utility dependencies to version 2.16.0. The updated aws-lambda-java-log4j2 binary is available at the Maven repository and its source code is available in Github.

    [V3] Last Updated Date: 2021/12/14 2:45 PM PST

    AWS is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228).

    Responding to security issues such as this one show the value of having multiple layers of defensive technologies, which is so important to maintaining the security of our customers data and workloads. We're taking this issue very seriously, and our world-class team of engineers has been working around the clock on our response and remediation. We expect to rapidly restore our full state of defense in depth.

    We continue to recommend that our customers take action to update all their applications and services by patching for known issues like this one and continue to follow our well architected guidance.

    Additional service-specific information is provided below. If you need additional details or assistance, please contact AWS Support.

    Amazon API Gateway

    As of December 13, 2021, all Amazon API Gateway hosts have been patched to mitigate the Log4j issue referenced in CVE-2021-44228.

    Amazon CloudFront

    Amazon CloudFront services have been updated to mitigate the issues identified in CVE-2021-44228. The CloudFront request handling services that run in our POPs are not written in Java and therefore were not affected by this issue.

    Amazon Connect

    Amazon Connect services have been updated to mitigate the issues identified in CVE-2021-44228.

    Amazon DynamoDB

    Amazon DynamoDB and Amazon DynamoDB Accelerator (DAX) have been updated to mitigate the issues identified in CVE-2021-44228.

    Amazon EC2

    The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228. More information about security-related software updates for Amazon Linux is available at the Amazon Linux Security Center.

    Amazon ElastiCache

    Amazon ElastiCache’s Redis engine does not include Log4j2 in its managed runtimes or base container images. Amazon ElastiCache completed patching the Apache Log4j2 issue (CVE-2021-44228) on December 12, 2021.

    Amazon EMR

    CVE-2021-44228 impacts Apache Log4j versions between 2.0 and 2.14.1 when processing inputs from untrusted sources. EMR clusters launched with EMR 5 and EMR 6 releases include open source frameworks such as Apache Hive, Apache Flink, HUDI, Presto, and Trino, which use these versions of Apache Log4j. When you launch a cluster with EMR’s default configuration, it does not process inputs from untrusted sources.

    We are actively working on building an update that mitigates the issue discussed in CVE-2021-44228 when open source frameworks installed on your EMR cluster process information from untrusted sources.

    AWS IoT SiteWise Edge

    Updates for all AWS IoT SiteWise Edge components that use Log4j were made available for deployment on 12/13/2021. These components are: OPC-UA collector (v2.0.3), Data processing pack (v2.0.14), and Publisher (v2.0.2). AWS recommends that customers who are using these components deploy the latest versions to their SiteWise Edge gateways.

    Amazon Keyspaces (for Apache Cassandra)

    Amazon Keyspaces (for Apache Cassandra) has been updated to mitigate the issues identified in CVE-2021-44228.

    Amazon Kinesis Data Analytics

    The versions of Apache Flink supported by Amazon Kinesis Data Analytics include Apache Log4j versions between 2.0 and 2.14.1. Kinesis Data Analytics applications operate in single-tenant, isolated environments and cannot interact with one another.

    We are updating the version of Log4j available to Kinesis Data Analytics customer applications in all AWS regions. Applications started or updated after 6:30 PM PST on 12/12/2021 will automatically receive the updated patch. Customers whose applications were started or updated before then can ensure that their applications run on the updated version of Log4j by calling the Kinesis Data Analytics UpdateApplication API. More information about the UpdateApplication API is available within the service’s documentation.

    Amazon Kinesis Data Streams

    We are actively patching all sub-systems that use Log4j2 by applying updates. The Kinesis Client Library (KCL) version 2.X and the Kinesis Producer Library (KPL) are not impacted. For customers using KCL 1.x, we have released an updated version and we strongly recommend that all KCL version 1.x customers upgrade to KCL version 1.14.5 (or higher) which is available here.

    Amazon Managed Streaming for Apache Kafka (MSK)

    We are aware of the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library and are applying updates as required. Please note that the builds of Apache Kafka and Apache Zookeeper offered in MSK currently use Log4j 1.2.17, which is not affected by this issue. Some MSK-specific service components use Log4j > 2.0.0 library and are being patched where needed.

    Amazon Managed Workflows for Apache Airflow (MWAA)

    MWAA has two areas of consideration regarding the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library: Amazon MWAA service code (AWS specific) and open source code (Apache Airflow).

    As of Dec 14, 2021, we have completed all required updates to the MWAA service code to address the issue. Apache Airflow does not use Log4j2 and is not affected by this issue.

    We strongly encourage customers who have added Log4j2 to their environments to update to the latest version.

    Amazon MemoryDB for Redis

    Amazon MemoryDB for Redis completed patching the Apache Log4j2 issue (CVE-2021-44228) on December 12, 2021.

    Amazon MQ

    Amazon MQ has two areas of consideration regarding the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library: Amazon MQ service code (AWS specific) and open source code (Apache ActiveMQ and RabbitMQ message brokers).

    As of Dec 13, 2021, we have completed all required updates to the Amazon MQ service code to address the issue.
    There are no updates required to the open source message brokers. All versions of Apache ActiveMQ offered in Amazon MQ use Log4j version 1.2.x, which is not affected by this issue. RabbitMQ does not use Log4j and is not affected by this issue.

    Amazon Neptune

    All active Amazon Neptune clusters have been automatically updated to mitigate the issues identified in CVE-2021-44228.

    Amazon OpenSearch Service

    Amazon OpenSearch Service has released a critical service software update, R20211203-P2, that contains an updated version of Log4j2 in all regions. We strongly recommend that customers update their OpenSearch clusters to this release as soon as possible.

    Amazon RDS

    Amazon RDS and Amazon Aurora are actively addressing all service usage of Log4j2 by applying updates. RDS-built relational database engines do not include the Apache Log4j2 library. Where upstream vendors are involved, we are applying their recommended mitigation. Customers may observe intermittent events during update of internal components.

    Amazon S3

    Amazon S3 completed patching for the Apache Log4j2 issue (CVE-2021-44228) for S3’s data ingress and egress on December 11, 2021. We have also completed patching all other S3 systems that used Log4j2.

    Amazon Simple Notification Service (SNS)

    Amazon SNS systems that serve customer traffic are patched against the Log4j2 issue. We are working to apply the Log4j2 patch to sub-systems that operate separately from SNS’s systems that serve customer traffic.

    Amazon Simple Workflow Service (SWF)

    Amazon Simple Workflow Service (SWF) has been updated to mitigate the issues identified in CVE-2021-44228.

    AWS CloudHSM

    AWS CloudHSM JCE SDK versions earlier than 3.4.1 include a version of Apache Log4j affected by this issue. On December 10, 2021, CloudHSM released JCE SDK v3.4.1 with a fixed version of Apache Log4j. If you use CloudHSM JCE versions earlier than 3.4.1, you may be impacted and should mitigate the issue by upgrading the CloudHSM JCE SDK to version 3.4.1 or higher.

    AWS Elastic Beanstalk

    AWS Elastic Beanstalk installs Log4j from the Amazon Linux default package repositories in its Tomcat platforms for Amazon Linux 1 and Amazon Linux 2. The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228.

    If you have made configuration changes to your application’s use of Log4j, then we recommend that you take action to update your application’s code to mitigate this issue.

    In accordance with our normal practices, if patched versions of these default package repository versions are released, Elastic Beanstalk will include the patched version in the next Tomcat platform version release for Amazon Linux 1 and Amazon Linux 2.

    More information about security-related software updates for Amazon Linux is available at the Amazon Linux Security Center.

    AWS Glue

    AWS Glue is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). We have updated our control plane fleet that serves AWS Glue APIs for all supported Glue versions.

    AWS Glue creates a new Spark environment that is isolated at the network and management level from all other Spark environments inside the AWS Glue service account. Your ETL jobs are executed on a single tenant environment. If you have uploaded a custom jar file for use in your ETL jobs or Development Endpoints which includes a specific version of Apache Log4j, then you are advised to update your jar to use the latest version of Apache Log4j.

    AWS Glue is also proactively applying the updates to new Spark environments across all supported regions. If you have questions or would like additional assistance, please contact AWS Support.

    AWS Greengrass

    Updates for all AWS Greengrass V2 components that use Log4j are available for deployment as of 12/10/2021. These components are: Stream Manager (2.0.14) and Secure Tunneling (1.0.6). AWS recommends that customers who are using these Greengrass components deploy the latest versions to their devices.

    The Stream Manager feature of Greengrass versions 1.10.x and 1.11.x uses Log4j. An update for the Stream Manager feature is included in Greengrass patch versions 1.10.5 and 1.11.5, which are both available as of 12/12/2021. We strongly recommend that customers on versions 1.10.x and 1.11.x who have Stream Manager enabled on their devices (or may enable it in the future) update their devices to the latest versions.

    AWS Lake Formation

    AWS Lake Formation service hosts are being updated to the latest version of Log4j to address the issue with versions referenced in CVE-2021-44228.

    AWS Lambda

    AWS Lambda does not include Log4j2 in its managed runtimes or base container images. These are therefore not affected by the issue described in CVE-2021-44228. Customers using the aws-lambda-java-log4j2 library in their functions will need to update to version 1.3.0 and redeploy.

    AWS SDK

    The AWS SDK for Java uses a logging facade, and does not have a runtime dependency on Log4j. We do not currently believe any AWS SDK for Java changes need to be made regarding this issue.

    AWS Step Functions

    AWS Step Functions has been updated to mitigate the issues identified in CVE-2021-44228.

    AWS Web Application Firewall (WAF)

    To improve detection and mitigation relating to the recent Log4j security issue, customers of CloudFront, Application Load Balancer (ALB), API Gateway, and AppSync can optionally enable AWS WAF and apply two AWS Managed Rules (AMR): AWSManagedRulesKnownBadInputsRuleSet and AWSManagedRulesAnonymousIpList.

    AWSManagedRulesKnownBadInputsRuleSet inspects request uri, body, and commonly used headers, while AWSManagedRulesAnonymousIpList helps block requests from services that allow the obfuscation of viewer identity. You can apply these rules by creating an AWS WAF web ACL, adding one or both rulesets to your web ACL, and then associating the web ACL with your CloudFront distribution, ALB, API Gateway or AppSync GraphQL APIs.

    We continue to iterate the AWSManagedRulesKnownBadInputsRuleSet Rule Group as we learn more. To receive automatic updates to the AWSManagedRulesKnownBadInputsRuleSet, please choose the default version. For customers using AWS WAF Classic, you will need to migrate to AWS WAF or create custom regex match conditions. Customers can use AWS Firewall Manager which enables you to configure AWS WAF rules across multiple AWS accounts and resources from a single place. You can group rules, build policies, and centrally apply those policies across your entire infrastructure.

    NICE

    Due to a CVE in the Apache Log4j library, included in EnginFrame from version 2020.0 to 2021.0-r1307, NICE recommends that you upgrade to the latest EnginFrame version, or update the Log4j library in your EnginFrame installation following the instructions on the support website.

    Please feel free to contact us.

    [V2] Last Updated Date:2021/12/13 1:42 PM PDT

    AWS is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). We are actively monitoring this issue, and are working on addressing it for any AWS services which either use Log4j2 or provide it to customers as part of their service.

    We strongly encourage customers who manage environments containing Log4j2 to update to the latest version, or their operating system’s software update mechanism. Additional service-specific information is below.

    If you need additional details or assistance, please contact AWS Support.

    S3

    S3 completed patching for the Apache Log4j2 issue (CVE-2021-44228) for S3’s data ingress and egress on December 11, 2021. We have also completed patching all other S3 systems that used Log4j2.

    Amazon OpenSearch

    Amazon OpenSearch Service is deploying a service software update, version R20211203-P2, which contains an updated version of Log4j2. We will notify customers as the update becomes available in their regions, and update this bulletin once it is available worldwide.

    AWS Lambda

    AWS Lambda does not include Log4j2 in its managed runtimes or base container images. These are therefore not affected by the issue described in CVE-2021-44228. Customers using the aws-lambda-java-log4j2 library in their functions will need to update to version 1.3.0 and redeploy.

    AWS CloudHSM

    CloudHSM JCE SDK versions earlier than 3.4.1 include a version of Apache Log4j affected by this issue. On December 10, 2021, CloudHSM released JCE SDK v3.4.1 with a fixed version of Apache Log4j. If you use CloudHSM JCE versions earlier than 3.4.1, you may be impacted and should mitigate the issue by upgrading CloudHSM JCE SDK to version 3.4.1 or higher.

    Amazon EC2

    The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228. More information about security-related software updates for Amazon Linux is available at the Amazon Linux Security Center

    API Gateway

    We are updating API Gateway to use a version of Log4j2 that mitigates the issue. You may observe periodic latency increases for some APIs during these updates.

    AWS Greengrass

    Updates for all Greengrass V2 components that use Log4j are available for deployment as of 12/10/2021. These components are: Stream Manager (2.0.14) and Secure Tunneling (1.0.6). AWS recommends that customers who are using these Greengrass components deploy the latest versions to their devices.

    The Stream Manager feature of Greengrass versions 1.10.x and 1.11.x uses Log4j. An update for the Stream Manager feature is included in Greengrass patch versions 1.10.5 and 1.11.5, which are both available as of 12/12/2021. We strongly recommend that customers on versions 1.10.x and 1.11.x who have Stream Manager enabled on their devices (or may enable it in the future) update their devices to the latest versions.

    CloudFront

    CloudFront services have been updated to mitigate the issues identified in CVE-2021-44228. The CloudFront request handling services that run in our POPs are not written in Java and therefore were not affected by this issue.

    Elastic BeanStalk

    AWS Elastic Beanstalk installs Log4j from the Amazon Linux default package repositories in its Tomcat platforms for Amazon Linux 1 and Amazon Linux 2. The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228.

    If you have made configuration changes to your application’s use of Log4j, then we recommend that you take action to update your application’s code to mitigate this issue.

    In accordance with our normal practices, if patched versions of these default package repository versions are released, Elastic Beanstalk will include the patched version in the next Tomcat platform version release for Amazon Linux 1 and Amazon Linux 2.

     More information about security-related software updates for Amazon Linux is available at the Amazon Linux Security Center

    EMR

    CVE-2021-44228 impacts Apache Log4j versions between 2.0 and 2.14.1 when processing inputs from untrusted sources. EMR clusters launched with EMR 5 and EMR 6 releases include open source frameworks such as Apache Hive, Flink, HUDI, Presto, and Trino, which use these versions of Apache Log4j. When you launch a cluster with EMR’s default configuration, it does not process inputs from untrusted sources.

    We are actively working on building an update that mitigates the issue discussed in CVE-2021-44228 when open source frameworks installed on your EMR cluster process information from untrusted sources.

    Lake Formation

    Lake Formation service hosts are being proactively updated to the latest version of Log4j to address the security issue with versions referenced in CVE-2021-44228.

    AWS SDK

    The AWS SDK for Java uses a logging facade, and does not have a runtime dependency on log4j. We do not currently believe any AWS SDK for Java changes need to be made regarding this issue.

    AMS

    We are actively monitoring this issue, and are working on addressing it for any AMS services which use Log4j2. We strongly encourage customers who manage environments containing Log4j2 to update to the latest version, or by using their operating system's software update mechanism.

    Amazon Neptune

    Amazon Neptune includes the Apache Log4j2 library as a peripheral component, but the issue is not believed to impact Neptune users. Out of an abundance of caution, Neptune clusters will be automatically updated to use a version of Log4j2 that addresses the issue. Customers may observe intermittent events during update.

    NICE

    Due to a CVE in the Apache Log4j library, included in EnginFrame from version 2020.0 to 2021.0-r1307, NICE recommends that you upgrade to the latest EnginFrame version, or update the Log4j library in your EnginFrame installation following the instructions on the support website.

    Please feel free to contact us.

    Kafka

    Managed Streaming for Apache Kafka is aware of the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library and are applying updates as required. Please note that the builds of Apache Kafka and Apache Zookeeper offered in MSK currently use log4j 1.2.17, which is not affected by this issue. Some MSK-specific service components use log4j > 2.0.0 library and are being patched where needed.

    AWS Glue

    AWS Glue is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). We have updated our control plane fleet that serves AWS Glue APIs for all supported Glue versions.

    ​AWS Glue creates a new Spark environment that is isolated at the network and management level from all other Spark environments inside the AWS Glue service account. Your ETL jobs are executed on a single tenant environment. If your ETL jobs load a specific version of Apache Log4j, then you are advised to update your scripts to use the latest version of Apache Log4j. If you use AWS Glue development endpoints to author your scripts, then you are advised to update the Log4j version you use there as well.

    ​AWS Glue is also proactively applying the updates to new Spark environment across all supported regions. If you have questions or would like additional assistance, please contact us through AWS Support.

    RDS

    Amazon RDS and Amazon Aurora are actively addressing all service usage of Log4j2 by applying updates. RDS-built relational database engines do not include the Apache Log4j library. Where upstream vendors are involved, we are applying their recommended mitigation. Customers may observe intermittent events during update of internal components.

    Amazon Connect

    Amazon Connect services have been updated to mitigate the issues identified in CVE-2021-44228.

    Amazon DynamoDB 

    Amazon DynamoDB and Amazon DynamoDB Accelerator (DAX) have been updated to mitigate the issues identified in CVE-2021-44228.

    Amazon Keyspaces (for Apache Cassandra)

    Amazon Keyspaces (for Apache Cassandra) has been updated to mitigate the issues identified in CVE-2021-44228.

    Amazon MQ

    Amazon MQ has two areas of consideration regarding the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library: Amazon MQ service code (AWS specific) and open source code (Apache ActiveMQ and RabbitMQ message brokers).

    As of Dec 13, 2021, we have completed all required updates to the Amazon MQ service code to address the issue.

    There are no updates required to the open source message brokers. All versions of Apache ActiveMQ offered in Amazon MQ use Log4j version 1.2.x, which is not affected by this issue. RabbitMQ does not use Log4j and is not affected by this issue.

    Kinesis Data Analytics

    The versions of Apache Flink supported by Kinesis Data Analytics include Apache Log4j versions between 2.0 and 2.14.1. Kinesis Data Analytics applications operate in single-tenant, isolated environments and cannot interact with one another.

    We are updating the version of Log4j available to Kinesis Data Analytics customer applications in all AWS regions. Applications started or updated after 6:30 PM PST on 12/12/2021 will automatically receive the updated patch. Customers whose applications were started or updated before then can ensure that their applications run on the updated version of Log4j by calling the Kinesis Data Analytics UpdateApplication API. Please see more information about the UpdateApplication API.

    [V1] Last Updated Date: 2021/12/12 9:40 PM PST

    AWS is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). We are actively monitoring this issue, and are working on addressing it for any AWS services which either use Log4j2 or provide it to customers as part of their service.

    We strongly encourage customers who manage environments containing Log4j2 to update to the latest version, or their operating system’s software update mechanism.

    It has been reported that using Log4j2 on JDKs after 8u121 or 8u191 (including JDK 11 and later) mitigates the issue, but this is only a partial mitigation. The only comprehensive solution is to upgrade Log4j2 to 2.15, and Log4j2 versions older than 2.15 should be considered affected regardless of the JDK distribution or version used.

    Additional service-specific information is below.

    If you need additional details or assistance, please contact AWS Support.

    API Gateway

    We are updating API Gateway to use a version of Log4j2 that mitigates the issue. You may observe periodic latency increases for some APIs during these updates.

    AWS Greengrass

    Updates for all Greengrass V2 components that use Apache Log4j2 are available for deployment since 12/10/2021. These components are: Stream Manager (2.0.14) and Secure Tunneling (1.0.6). AWS recommends that customers who are using these Greengrass components deploy the latest versions to their devices.

    Updates for Greengrass versions 1.10 and 1.11 are expected to be available by 12/17/2021. Customers who use Stream Manager on these devices are recommended to update their devices as soon as the Greengrass binaries are made available for these versions. In the meantime, customers should verify that their custom lambda code using Stream Manager on Greengrass 1.10 or 1.11 does not use arbitrary stream names and file names (for the S3 exporter) outside of the customer’s control, e.g. a stream name or file name containing the text “${".

    Amazon MQ

    Amazon MQ has 2 areas of consideration regarding the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library: Amazon MQ service code (AWS specific) and open source code (Apache ActiveMQ and RabbitMQ message brokers).

    We are applying required updates to the Amazon MQ service code to address the issue.

    There are no updates required to the open source message brokers. All versions of Apache ActiveMQ offered in Amazon MQ use Log4j version 1.x, which is not affected by this issue. RabbitMQ does not use Log4j2 and is not affected by this issue.

    CloudFront

    CloudFront services have been updated to mitigate the issues identified in CVE-2021-44228. The CloudFront request handling services that run in our POPs are not written in Java and therefore were not affected by this issue.

    AWS Elastic Beanstalk

    AWS Elastic Beanstalk installs Log4j from the Amazon Linux default package repositories in its Tomcat platforms for Amazon Linux 1 and Amazon Linux 2. The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228.

    If you have made configuration changes to your application’s use of Log4j, then we recommend that you take action to update your application’s code to mitigate this issue.

    In accordance with our normal practices, if patched versions of these default package repository versions are released, Elastic Beanstalk will include the patched version in the next Tomcat platform version release for Amazon Linux 1 and Amazon Linux 2.

    More information about security-related software updates for Amazon Linux is available at the Amazon Linux Security Center.

    EMR

    CVE-2021-44228 impacts Apache Log4j versions between 2.0 and 2.14.1 when processing inputs from untrusted sources. EMR clusters launched with EMR 5 and EMR 6 releases include open source frameworks such as Apache Hive, Flink, HUDI, Presto, and Trino, which use these versions of Apache Log4j. When you launch a cluster with EMR’s default configuration, it does not process inputs from untrusted sources.

    We are actively working on building an update that mitigates the issue discussed in CVE-2021-44228 when open source frameworks installed on your EMR cluster process information from untrusted sources.

    Lake Formation

    Lake Formation service hosts are being proactively updated to the latest version of Log4j to address the issue with versions referenced in CVE-2021-44228.

    S3

    S3’s data ingress and egress is patched against the Log4j2 issue. We are working to apply the Log4j2 patch to the S3 systems that operate separately from S3’s data ingress and egress.

    AWS SDK

    The AWS SDK for Java uses a logging facade, and does not have a runtime dependency on Log4j. We do not currently believe any AWS SDK for Java changes need to be made regarding this issue.

    AMS

    We are actively monitoring this issue, and are working on addressing it for any AMS services that use Log4j2. We strongly encourage customers who manage environments containing Log4j2 to update to the latest version, or by using their operating system's software update mechanism.

    AMS recommends deploying a Web Application Firewall (WAF) for all Internet-accessible application endpoints. The AWS WAF service can be configured to provide an additional layer of defense against this issue by deploying the AWSManagedRulesAnonymousIpList rule-set (which contains rules to block sources known to anonymize client information, like TOR nodes) and the AWSManagedRulesKnownBadInputsRuleSet rule-set (which which inspects URI, request body, and commonly used headers to help block requests related to Log4j and other issues).

    AMS will continue to monitor this issue and provide additional details and recommendations as they become available.

    Amazon Neptune

    Amazon Neptune includes the Apache Log4j2 library as a peripheral component, but the issue is not believed to impact Neptune users. Out of an abundance of caution, Neptune clusters will be automatically updated to use a version of Log4j2 that addresses the issue. Customers may observe intermittent events during update.

    NICE

    Due to a CVE in the Apache Log4j library included in EnginFrame from version 2020.0 to 2021.0-r1307, NICE recommends that you upgrade to the latest EnginFrame version, or update the Log4j library in your EnginFrame installation following the instructions on the support website.

    Please feel free to contact us.

    Kafka

    Managed Streaming for Apache Kafka is aware of the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library and are applying updates as required. Please note that the builds of Apache Kafka and Apache Zookeeper offered in MSK currently use Log4j 1.2.17, which is not affected by this issue. Some MSK-specific service components use Log4j > 2.0.0 library and are being patched where needed.

    AWS Glue

    AWS Glue is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). We have updated our control plane fleet that serves AWS Glue APIs for all supported Glue versions.

    AWS Glue creates a new Spark environment that is isolated at the network and management level from all other Spark environments inside the AWS Glue service account. Your ETL jobs are executed on a single tenant environment. If your ETL jobs load a specific version of Apache Log4j, then you are advised to update your scripts to use the latest version of Apache Log4j. If you use AWS Glue development endpoints to author your scripts, then you are advised update the Log4j version you use there as well.

    AWS Glue is also proactively applying the updates to new Spark environment across all supported regions. If you have questions or would like additional assistance, please contact us through the AWS Support.

    RDS

    Amazon RDS and Amazon Aurora are actively addressing all service usage of Log4j2 by applying updates. RDS-built relational database engines do not include the Apache Log4j library. Where upstream vendors are involved, we are applying their recommended mitigation. Customers may observe intermittent events during update of internal components.

    OpenSearch

    Amazon OpenSearch Service is deploying a service software update, version R20211203-P2, which contains an updated version of Log4j2. We will notify customers as the update becomes available in their regions, and update this bulletin once it is available worldwide.

  5. Apache Log4j2 Issue (CVE-2021-44228)

    Initial Publication Date: 2021/12/10 7:20 PM PDT

    All updates to this issue have moved here.

    AWS is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). We are actively monitoring this issue, and are working on addressing it for any AWS services which either use Log4j2 or provide it to customers as part of their service.

    We strongly encourage customers who manage environments containing Log4j2 to update to the latest version, available at: https://logging.apache.org/log4j/2.x/download.html or their operating system’s software update mechanism. Additional service-specific information is below.

    If you need additional details or assistance, please contact AWS Support.

    Amazon EC2

    The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228. More information about security-related software updates for Amazon Linux is available at: https://alas.aws.amazon.com.

    AWS WAF / Shield

    To improve detection and mitigation of risks arising from the recent Log4j security issue, we have updated the AWSManagedRulesKnownBadInputsRuleSet AMR in the AWS WAF service. Customers of CloudFront, Application Load Balancer (ALB), API Gateway, and AppSync can immediately take advantage of this mitigation option, which inspects uri, request body, and commonly used headers to add an additional layer of defense, by creating an AWS WAF web ACL, adding the AWSManagedRulesKnownBadInputsRuleSet to your web ACL, and then associating the web ACL with your CloudFront distribution, ALB, API Gateway or AppSync GraphQL APIs.

    More information on getting started with AWS WAF is available here: https://docs.aws.amazon.com/waf/latest/developerguide/getting-started.html

    Additional documentation for enabling AMRs is available here: https://docs.aws.amazon.com/waf/latest/developerguide/waf-using-managed-rule-groups.html

    Please note that AMRs are not available in WAF Classic, so please upgrade to AWS WAF (wafv2) to take advantage of this mitigation option.

    Amazon OpenSearch

    We are updating all Amazon OpenSearch Service domains to use a version of “Log4j2” that addresses the issue. You may observe intermittent activity on your domains during the update process.

    AWS Lambda

    AWS Lambda does not include Log4j2 in its managed runtimes or base container images. These are therefore not affected by the issue described in CVE-2021-44228. Customers using the aws-lambda-java-log4j2 (https://repo1.maven.org/maven2/com/amazonaws/aws-lambda-java-log4j2/) library in their functions will need to update to version 1.3.0 and redeploy.

    AWS CloudHSM

    CloudHSM JCE SDK versions earlier than 3.4.1 include a version of Apache Log4j affected by this issue. On December 10, 2021, CloudHSM released JCE SDK v3.4.1 with a fixed version of Apache Log4j. If you use CloudHSM JCE versions earlier than 3.4.1, you may be impacted and should remediate by upgrading CloudHSM JCE SDK to version 3.4.1 or higher [1].
    [1] https://docs.aws.amazon.com/cloudhsm/latest/userguide/java-library-install.html