The issue at play here is in the way the hotfix looks for versions of Java to patch. In the current flavor of the patch the search is only looking for processes named “java”, it is not checking the process and is not running it inside the restrictions of an containers involved. If a malicious container or compute device contains a binary names java, the hot fix will run it potentially with elevated privileges allowing for follow on escape from the container and compromise of the server. The same can be said of a malicious process injected into an already operating container or server. If an attacker can push of invoke this new binary the hotfix will try to execute it and allow for the same style escalation and escape.

Log4Shell was and still is a significant issue as some systems and applications remain without proper remediation or mitigations steps. Added to this mix are the as yet unpatched systems still out there. To see a flaw show up like this in a hotfix is does not instill confidence in remediation steps. It also comes as threat intelligence indicates that IABs (initial access brokers) are specifically targeting AWS and other cloud services looking for Log4J. Organizations should be aware of this new potential threat vector and take appropriate steps to mitigate it as we are likely to see interest in this flaw from IABs and APT groups alike.

The good news is that Amazon does have an updated version of the hotfix and recommends updating to it as soon as possible after ensuring that they have updated any potentially vulnerable applications that exist in their environments. Log4Shell is another flaw we put in the “gift that keeps on giving” category.
Happy Patching.