Modal Title
Cloud Native Ecosystem Containers Edge Computing Microservices Networking Serverless Storage
Infrastructure as Code: Modernizing for Faster Development
Jun 8th 2023 12:59pm, by Heather Joslyn
Security as Code Protects Rapidly Developing Cloud Native Architectures
Jun 8th 2023 10:00am, by Aakash Shah
4 Factors to Consider When Choosing a Cloud Native App Platform
Jun 2nd 2023 10:00am, by Guilherme (Gui) Alvarenga
How GitHub Uses GitHub to Be Productive and Secure
May 31st 2023 10:30am, by Loraine Lawson
Top 3 Application Security Must-Haves
May 26th 2023 7:59am, by Guilherme (Gui) Alvarenga
Chainguard Improves Security for Its Container Image Registry
May 31st 2023 6:30am, by Steven J. Vaughan-Nichols
How to Protect Containerized Workloads at Runtime
May 30th 2023 4:00am, by Kevin Casey
How to Containerize a Python Application with Paketo Buildpacks
May 29th 2023 5:00am, by Sylvain Kalache
Can Rancher Deliver on Making Kubernetes Easy?
May 27th 2023 7:00am, by Jack Wallen
Red Hat Podman Container Engine Gets a Desktop Interface
May 23rd 2023 7:30am, by Joab Jackson
Creating an IoT Data Pipeline Using InfluxDB and AWS
Jun 5th 2023 10:25am, by Jason Myers
Dell Intros New Edge, Generative AI, Cloud, Zero Trust Prods
May 31st 2023 11:00am, by Chris J. Preimesberger
Gothenburg, Sweden Used Open Source IoT to Drastically Cut Water Waste
May 23rd 2023 6:58am, by Alex Handy
Building a Plant Monitoring Tool with IoT
May 8th 2023 9:27am, by Zoe Steinkamp
How to Choose and Model Time Series Databases
Apr 28th 2023 3:00am, by Robert Kimani
Case Study: A WebAssembly Failure, and Lessons Learned
May 25th 2023 7:00am, by Susan Hall
RabbitMQ Is Boring, and I Love It
May 15th 2023 6:30am, by Josh Long
How OpenSearch Visualizes Jaeger's Distributed Tracing
May 11th 2023 10:00am, by Derek Ho and Jonah Kowall
Spring Cloud Gateway: The Swiss Army Knife of Cloud Development
May 8th 2023 6:47am, by Juergen Sussner
Return of the Monolith: Amazon Dumps Microservices for Video Monitoring
May 4th 2023 7:23am, by Joab Jackson
WithSecure Pours Energy into Making Software More Efficient
Jun 1st 2023 7:14am, by Joe Fay
Don't Force Containers and Disrupt Workflows
May 25th 2023 3:10pm, by Alex Williams
How to Decide Between a Layer 2 or Layer 3 Network
Apr 25th 2023 10:00am, by Gino Dion
Linkerd Service Mesh Update Addresses More Demanding User Base
Apr 11th 2023 6:17am, by Joab Jackson
Wireshark Celebrates 25th Anniversary with a New Foundation
Mar 28th 2023 5:00am, by Joab Jackson
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by Andrew Brust
Forrester on WebAssembly for Developers: Frontend to Backend
May 17th 2023 6:00am, by Loraine Lawson
Return of the Monolith: Amazon Dumps Microservices for Video Monitoring
May 4th 2023 7:23am, by Joab Jackson
IBM's Quiet Approach to AI, Wasm and Serverless
May 4th 2023 6:00am, by Loraine Lawson
Cloud Control Planes for All: Implement Internal Platforms with Crossplane
Apr 13th 2023 10:00am, by Bassam Tabbara
The Architect’s Guide to Storage for AI
Jun 1st 2023 7:44am, by Keith Pijanowski
8 Real-Time Data Best Practices
Jun 1st 2023 5:00am, by Jennifer Riggins
Raft Native: The Foundation for Streaming Data’s Best Future
May 30th 2023 9:44am, by Doug Flora
Why the Document Model Is More Cost-Efficient Than RDBMS
May 25th 2023 9:24am, by Rick Houlihan
Amazon Aurora vs. Redshift: What You Need to Know
May 25th 2023 6:27am, by Casey Samulski
Frontend Development Software Development Typescript WebAssembly Cloud Services Data Machine Learning Security
Dev News: A New Rust Release and Chrome 114 Updates
Jun 3rd 2023 9:00am, by
Dealing with Death: Social Networks and Modes of Access
Jun 3rd 2023 6:00am, by
LangChain: The Trendiest Web Framework of 2023, Thanks to AI
Jun 1st 2023 10:57am, by
30 Non-Trivial Ways for Developers to Use GPT-4
Jun 1st 2023 9:39am, by
Bluesky vs. Nostr — Which Should Developers Care About More?
May 30th 2023 7:51am, by
Infrastructure as Code: Modernizing for Faster Development
Jun 8th 2023 12:59pm, by
How LLMs Are Transforming Enterprise Applications
Jun 8th 2023 7:12am, by
Sundeck Launches Query Engineering Platform for Snowflake
Jun 8th 2023 5:00am, by
Chainguard Unveils Speranza: A Novel Software Signing System
Jun 7th 2023 2:22pm, by
Speeding up Codecov Analysis for Xcode Projects
Jun 7th 2023 9:02am, by
Dev News: A New Rust Release and Chrome 114 Updates
Jun 3rd 2023 9:00am, by
Dev News: New Microsoft Edge Tools and Goodbye Node.js 16
May 27th 2023 6:00am, by
Dev News: Angular v16, plus Node.js and TypeScript Updates
Apr 22nd 2023 4:00am, by
This Week in Computing: Malware Gone Wild
Mar 25th 2023 7:10am, by
TypeScript 5.0: New Decorators Standard, Smaller npm
Mar 24th 2023 11:25am, by
How WASM (and Rust) Unlocks the Mysteries of Quantum Computing
Jun 8th 2023 3:00am, by
The Need to Roll up Your Sleeves for WebAssembly
Jun 5th 2023 6:00am, by
Python and WebAssembly: Elevating Performance for Web Apps
Jun 5th 2023 3:00am, by
Demystifying WebAssembly: What Beginners Need to Know
Jun 2nd 2023 5:35am, by
Case Study: A WebAssembly Failure, and Lessons Learned
May 25th 2023 7:00am, by
Dell Intros New Edge, Generative AI, Cloud, Zero Trust Prods
May 31st 2023 11:00am, by
Cloud Dependencies Need to Stop F---ing Us When They Go Down
May 25th 2023 10:00am, by
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by
A Boring Kubernetes Release
May 19th 2023 12:23pm, by
Optimizing Mastodon Performance with Sidekiq and Redis Enterprise
May 18th 2023 10:30am, by and
How Apache Airflow Better Manages Machine Learning Pipelines
Jun 8th 2023 3:13pm, by
Generative AI: What's Ahead for Enterprises?
Jun 8th 2023 11:13am, by
What Is Amazon QuickSight, and How Does It Uncover Insights?
Jun 8th 2023 8:54am, by
How LLMs Are Transforming Enterprise Applications
Jun 8th 2023 7:12am, by
How AlphaSense Added Generative AI to Its Existing AI Stack
Jun 8th 2023 6:00am, by
How Apache Airflow Better Manages Machine Learning Pipelines
Jun 8th 2023 3:13pm, by
DataStax Adds Vector Search to Astra DB on Google Cloud
Jun 7th 2023 10:07am, by
Enhance Kubernetes Scheduling for GPU-Heavy Apps with Node Templates
Jun 7th 2023 10:00am, by
Building StarCoder, an Open Source LLM Alternative
Jun 7th 2023 8:19am, by
API Management Is a Commodity: What’s Next?
Jun 6th 2023 9:59am, by
Security as Code Protects Rapidly Developing Cloud Native Architectures
Jun 8th 2023 10:00am, by
Chainguard Unveils Speranza: A Novel Software Signing System
Jun 7th 2023 2:22pm, by
4 Factors to Consider When Choosing a Cloud Native App Platform
Jun 2nd 2023 10:00am, by
VeeamON 2023: When Your Nightmare Comes True
Jun 2nd 2023 7:47am, by
Compiled Python Code Used in a New PyPI Attack
Jun 2nd 2023 6:00am, by
Platform Engineering Operations CI/CD Tech Life DevOps Kubernetes Observability Service Mesh
‘Running Service’ Blueprint for a Kubernetes Developer Portal
Jun 7th 2023 8:30am, by Zohar Einy
Building GPT Applications on Open Source Stack LangChain
Jun 7th 2023 6:58am, by Akmal Chaudhri
Can DevEx Metrics Drive Developer Productivity?
Jun 7th 2023 3:00am, by Jennifer Riggins
SRE vs. DevOps? Successful Platform Engineering Needs Both
Jun 6th 2023 10:53am, by Paige Cruz
The Art of Platform Marketing: You’ve Gotta Sell It
Jun 6th 2023 6:05am, by Michael Coté
Generative AI: What's Ahead for Enterprises?
Jun 8th 2023 11:13am, by Heather Joslyn
Security as Code Protects Rapidly Developing Cloud Native Architectures
Jun 8th 2023 10:00am, by Aakash Shah
Sundeck Launches Query Engineering Platform for Snowflake
Jun 8th 2023 5:00am, by Andrew Brust
How WASM (and Rust) Unlocks the Mysteries of Quantum Computing
Jun 8th 2023 3:00am, by Mary Branscombe
Enhance Kubernetes Scheduling for GPU-Heavy Apps with Node Templates
Jun 7th 2023 10:00am, by Žilvinas Urbonas
Is DevOps Tool Complexity Slowing Down Developer Velocity?
May 17th 2023 6:29am, by Heather Joslyn and Lawrence E Hecht
AI Has Become Integral to the Software Delivery Lifecycle
May 12th 2023 11:01am, by Richard MacManus
4 Core Principles of GitOps
May 11th 2023 2:17pm, by Alex Williams
5 Version-Control Tools Game Developers Should Know About
May 9th 2023 10:00am, by Sharone Zitzman
Mitigate Risk Beyond the Supply Chain with Runtime Monitoring
May 8th 2023 10:00am, by Mike Long
Can DevEx Metrics Drive Developer Productivity?
Jun 7th 2023 3:00am, by Jennifer Riggins
Donald Knuth Asked ChatGPT 20 Questions. What Did We Learn?
Jun 4th 2023 6:00am, by David Cassel
Dealing with Death: Social Networks and Modes of Access
Jun 3rd 2023 6:00am, by David Eastman
Defend Open Source from Trolls: Oppose Patent Rule Changes
Jun 2nd 2023 6:49am, by Michael Dolan
How to Build a DevOps Engineer in Just 6 Months
Jun 1st 2023 10:43am, by Keri Barnett-Howell
‘Running Service’ Blueprint for a Kubernetes Developer Portal
Jun 7th 2023 8:30am, by Zohar Einy
Building GPT Applications on Open Source Stack LangChain
Jun 7th 2023 6:58am, by Akmal Chaudhri
SRE vs. DevOps? Successful Platform Engineering Needs Both
Jun 6th 2023 10:53am, by Paige Cruz
The Art of Platform Marketing: You’ve Gotta Sell It
Jun 6th 2023 6:05am, by Michael Coté
7 Core Elements of an Internal Developer Platform
Jun 5th 2023 6:41am, by Viktor Farcic
Enhance Kubernetes Scheduling for GPU-Heavy Apps with Node Templates
Jun 7th 2023 10:00am, by Žilvinas Urbonas
‘Running Service’ Blueprint for a Kubernetes Developer Portal
Jun 7th 2023 8:30am, by Zohar Einy
How Adobe Uses OpenTelemetry Collector
Jun 5th 2023 10:02am, by Susan Hall
7 Core Elements of an Internal Developer Platform
Jun 5th 2023 6:41am, by Viktor Farcic
The Need to Roll up Your Sleeves for WebAssembly
Jun 5th 2023 6:00am, by B. Cameron Gain
How Adobe Uses OpenTelemetry Collector
Jun 5th 2023 10:02am, by Susan Hall
Red Hat Ansible Gets Event-Triggered Automation, AI Assist on Playbooks
May 24th 2023 6:22am, by Joab Jackson
Observability: Working with Metrics, Logs and Traces
May 22nd 2023 8:23am, by Jessica Wachtel
Why Upgrade to Observability from Application Monitoring?
May 19th 2023 11:49am, by George Hamilton
Datadog’s $65M Bill and Why Developers Should Care
May 17th 2023 10:56am, by Loraine Lawson
Don't Force Containers and Disrupt Workflows
May 25th 2023 3:10pm, by Alex Williams
Linkerd Service Mesh Update Addresses More Demanding User Base
Apr 11th 2023 6:17am, by Joab Jackson
How to Create Zero Trust Architecture for Service Mesh
Mar 27th 2023 7:00am, by Joe Fay
Ambient Mesh: Sidestepping the Sidecar
Mar 1st 2023 8:44am, by Jeff Goldman
Service Mesh Demand for Kubernetes Shifts to Security
Oct 27th 2022 11:04am, by B. Cameron Gain
Containers / Kubernetes / Security

AWS’s Log4Shell Fix Needs Fixing

Palo Alto Networks' security research group Unit 42 discovered several Amazon Web Services (AWS) hot patch fixes came with their own serious security holes.
Apr 21st, 2022 9:21am by
Featued image for: AWS’s Log4Shell Fix Needs Fixing
Featured image by Maria Domnina from Pixabay. 

Log4Shell, the open source Java logging library Apache Log4j problem has been such a pain in the rump! Now, adding insult to injury, Palo Alto Networks’ security research group Unit 42 discovered several Amazon Web Services (AWS) hot patch fixes came with their own serious security holes.

It’s always something!

So, how bad were these holes? In a word: “Awful.”

Specifically, after installing the patch service to a server or cluster, every container could be exploited to take over its underlying host. For example, if you installed the hot patch to a Kubernetes cluster, every container in your cluster could now escape to higher levels until you either disable the hot patch or upgrade to the fixed version. Aside from containers, unprivileged processes could also be used to exploit the patch to escalate privileges and gain root code execution.

Things Get Worse

Guess what? It gets worse.

Unit 42 reported that containers could escape regardless of whether they were running Java applications, or whether their underlying host runs Bottlerocket, AWS’s hardened Linux distribution for containers. Even if your containers are running with user namespaces or as a non-root user they can still be exploited. Unit 42 assigned Common Vulnerabilities and Exposures (CVE) CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, and CVE-2022-0071 to these vulnerabilities.

Maybe “awful” is too mild a word. Exploited, these are catastrophic holes.

New Fixes

Fortunately, Unit 42 and AWS joined forces to fix the patches with newer, secure patches. So far, no one’s been attacked via these holes in the wild.

If you don’t want to be the first — and if you care about your company or job, this is one “first” you really don’t want — you must install the fixed version ASAP. In fact, now — yes, now — disable would be good.

You do this by installing a permanent fix or the latest hot patch. AWS has already released a fix for each hot patch solution. Once a host runs a fixed version, neither the container escape nor privilege escalation can be used against your system.

Steps to Take

For the hot patches, you need to take the following steps.

  1. Version 1.1-16 of the log4j-cve-2021-44228-hotpatch package, which bundles the hot patch service.
  2. Version 1.02 of Hotdog, a hot patch solution for Bottlerocket hosts based on Open Container Initiative (OCI) hooks.

There’s not, however, an automated way to use kubernetes-log4j-cve-2021-44228-node-agent Daemonset to install the fixed hot patch. Instead, you’ll need to jump through the following hoops:

  1. On standalone hosts, you can upgrade by running

$ yum update log4j-cve-2021-44228-hotpatch

For RPM-based distros or for distros using DEB:

$ Sudo apt install –only-upgrade log4j-cve-2021-44228-hotpatch

  1. Update: On Kubernetes clusters that installed the hot patch to every node via the hotpatch Daemonset, you need to manually connect to every node and update the installed hot patch via yum or apt. Note that only deleting the hot patch Daemonset doesn’t remove the hot patch service from your nodes.
  2. Hotdog users need to upgrade to the latest version.

Or, if you’re sure — and I mean sure — that your environment is permanently patched against Log4Shell, you can disable Hotdog on a host by running:

$ sudo touch /etc/log4j-cve-2021-44228-hotpatch.kill.,

$ run apiclient set oci-hooks.log4j-hotpatch-enabled=false.

Upgrade Now

Alta Vista’s Prisma Cloud customers can identify affected hosts under the Vulnerabilities tab. The platform detects the hot patch packages and alerts customers on VMs running a vulnerable version.

The reason why this is a top-of-mind problem is that because Log4Shell is such a dangerous bug, users often deployed hot patches at scale. Multitenant container environments and clusters running untrusted images are especially at risk.

Palo Alto Networks, and I, encourage you to upgrade to the fixed hot patch version as soon as possible. But, if you’re still patching against Log4Shell, prioritize that effort first. Yes, this is bad, but Log4Shell can be even worse. So, as I said earlier, get to work patching. It needs doing.

Group Created with Sketch.
Steven J. Vaughan-Nichols, aka sjvn, has been writing about technology and the business of technology since CP/M-80 was the cutting-edge PC operating system, 300bps was a fast internet connection, WordStar was the state-of-the-art word processor, and we liked it.
Read more from Steven J. Vaughan-Nichols
SHARE THIS STORY
RELATED STORIES
Rafay Backstage Plugins Simplify Kubernetes Deployments Container Security 101: A Guide to Safe and Efficient Operations How Testcontainers Is Demonstrating Value as a Key CI Tool Deploy an On-Premises Bitwarden Server with Docker Red Hat Podman Container Engine Gets a Desktop Interface
TNS owner Insight Partners is an investor in: Unit.
RELATED STORIES
How to Containerize a Python Application with Paketo Buildpacks Rafay Backstage Plugins Simplify Kubernetes Deployments Scan Container Images for Vulnerabilities with Docker Scout How to Protect Containerized Workloads at Runtime Container or VM? How to Choose the Right Option in 2023
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.