eMite Log4j/Log4Shell vulnerability CVE-2021-44228 - Amazon Connect

Owned by Patrick Hernandez
Last updated: Dec 15, 2021 by Steve Challans
2 min read

Recently, a critical vulnerability has been reported on Log4j, which is used by Java based applications. This vulnerability can be exploited for RCE (Remote Command Execution) depending on the configuration of the system. There is active exploitation in the wild and systems are having various Trojans, ransomware and crypto miners etc have been known to be loaded.

Some details on the vulnerability are:

https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce

https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability

https://logging.apache.org/log4j/2.x/security.html

The eMite application and adapters are not vulnerable to the Log4j vulnerability - as these do not use any Java, Apache based components and has minimal third party based libraries as they are based on C# and .Net code base, so this reduces the attack surface. However, eMite does use Elasticsearch for data storage.

Contents:

From the Elasticsearch advisory

  • Elasticsearch
    Elasticsearch is not susceptible to remote code execution with this vulnerability due to our use of the Java Security Manager. Elasticsearch on JDK8 or below is susceptible to an information leak via DNS which is fixed by a simple JVM property change. The information leak does not permit access to data within the Elasticsearch cluster.

Mitigation for eMite or customer-hosted Amazon Connect environments

  • eMite environments for Amazon Connect customers use AWS-Managed Elasticsearch/Opensearch service hosted on customer’s AWS.

  • AWS has advised that it is rolling out a service software update to address the log4j vulnerability:

    • https://aws.amazon.com/security/security-bulletins/AWS-2021-006/

    • “Amazon OpenSearch Service is deploying a service software update, version R20211203-P2, which contains an updated version of Log4j2. We will notify customers as the update becomes available in their regions, and update this bulletin once it is available worldwide.”

  • We advise customers to apply the service software update once you’ve received a notification/bulleting from AWS

    • The service software updated is considered critical, and AWS will actually automatically apply the update a few hours after the notification

  • The service software update does not require any downtime, but we do recommend applying it during off-peak hours

  • Apart from the above mitigation step, we do recommend to tighten / review the security group of Elasticsearch, and ensure that only the specific application servers (such as eMite) have access to Elasticsearch.