Palo Alto Networks warns that a patch released by Amazon to protect AWS from high-profile issues in Apache Log4j, including the Log4Shell vulnerability, poses a threat to users.
The patch can be used to escape the container and escalate privileges, allowing an attacker to take control of the underlying host.
Let me remind you that in December last year, shortly after cybersecurity researchers alarmed about problems in Apache Log4j, Amazon released emergency patches that fix bugs in various environments, including servers, Kubernetes, Elastic Container Service (ECS) and Fargate. The purpose of hotpatches was to quickly fix vulnerabilities while system administrators transited their applications and services to a secure version of Log4j.
Let me also remind you that soon after the discovery of vulnerabilities, real attacks on the Log4Shell were recorded. Moreover, the experts also found out that the Chinese hack group Aquatic Panda exploits Log4Shell to hack educational institutions.
However, as Palo Alto Networks has now found out, the patches were not very successful and could, among other things, lead to the capture of other containers and client applications on the host.
The experts showed a video demonstrating an attack on the supply chain with the malicious container image and usage of an earlier patch. Similarly, compromised containers can be used to “escape” and take over the underlying host. Palo Alto Networks decided not to share details about this exploit yet, so that attackers could not use it.
In the next step, elevated privileges could be used by a malicious java process to escape the container and take full control of the compromised server.
Users are advised to update to the corrected version of the hotpatch as soon as possible in order to prevent exploitation of related bugs.