Corretto team statement on CVE-2021-44228 (Log4j remote code execution)

[davecurrie]

A high-severity security issue within Log4j2 was recently disclosed publicly (see https://nvd.nist.gov/vuln/detail/CVE-2021-44228 for more details). Anyone using Log4j2 should upgrade to version 2.15, which addresses this issue. Log4j2 versions older than 2.15 should be considered affected regardless of the JDK distribution or version used.

It has been reported that using Log4j2 on JDKs after 8u121 or 8u191 (including JDK 11 and later) mitigates the issue but this is only a partial mitigation. The only comprehensive solution is to upgrade Log4j2 to 2.15.

[davecurrie]

The Corretto team at AWS has been working on a tool to hotpatch the log4j RCE from CVE-2021-44228. This tool

• Can patch a running JVM without a need to restart
• Will patch log4j 2+
• Can be run safely multiple times on the same JVM
• Will find all the user’s running JVMs and patch them
• Can be used to patch shaded jars including log4j
• Can patch multiple log4j instances

You can get it at https://github.com/corretto/hotpatch-for-apache-log4j2. Use it at your own risk and go through the README for instructions and caveats.