CVE-2022-33915

Versions of the Amazon AWS Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.3.5 are affected by a race condition that could lead to a local privilege escalation. This Hotpatch package is not a replacement for updating to a log4j version that mitigates CVE-2021-44228 or CVE-2021-45046; it provides a temporary mitigation to CVE-2021-44228 by hotpatching the local Java virtual machines. To do so, it iterates through all running Java processes, performs several checks, and executes the Java virtual machine with the same permissions and capabilities as the running process to load the hotpatch. A local user could cause the hotpatch script to execute a binary with elevated privileges by running a custom java process that performs exec() of an SUID binary after the hotpatch has observed the process path and before it has observed its effective user ID.
Configurations

Configuration 1 (hide)

cpe:2.3:a:amazon:hotpatch:*:*:*:*:*:log4j:*:*

History

21 Nov 2024, 07:08

Type Values Removed Values Added
References () https://alas.aws.amazon.com/AL2/ALAS-2022-1806.html - Vendor Advisory () https://alas.aws.amazon.com/AL2/ALAS-2022-1806.html - Vendor Advisory
References () https://alas.aws.amazon.com/ALAS-2022-1601.html - Vendor Advisory () https://alas.aws.amazon.com/ALAS-2022-1601.html - Vendor Advisory

05 Jul 2022, 19:43

Type Values Removed Values Added
CPE cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* cpe:2.3:a:amazon:hotpatch:*:*:*:*:*:log4j:*:*

30 Jun 2022, 18:30

Type Values Removed Values Added
CPE cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : 4.4
v3 : 7.0
References (MISC) https://alas.aws.amazon.com/ALAS-2022-1601.html - (MISC) https://alas.aws.amazon.com/ALAS-2022-1601.html - Vendor Advisory
References (MISC) https://alas.aws.amazon.com/AL2/ALAS-2022-1806.html - (MISC) https://alas.aws.amazon.com/AL2/ALAS-2022-1806.html - Vendor Advisory
CWE CWE-362

17 Jun 2022, 13:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-06-17 13:15

Updated : 2024-11-21 07:08


NVD link : CVE-2022-33915

Mitre link : CVE-2022-33915

CVE.ORG link : CVE-2022-33915


JSON object : View

Products Affected

amazon

  • hotpatch
CWE
CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')