Description
Incomplete fix for CVE-2021-3100. The Apache Log4j hotpatch package starting with log4j-cve-2021-44228-hotpatch-1.1-16 will now explicitly mimic the Linux capabilities and cgroups of the target Java process that the hotpatch is applied to.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://unit42.paloaltonetworks.com/aws-log4shell-hot-patch-vulnerabilities
Vendor Advisory x_refsource_misc
https://alas.aws.amazon.com/cve/html/CVE-2022-0070.html
Scores
CVSS v3
8.8
EPSS
0.0037
EPSS Percentile
29.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Details
CWE
CWE-269
CWE-250
Status
published
Products (1)
amazon/log4jhotpatch
< 1.1-16
Published
Apr 19, 2022
Tracked Since
Feb 18, 2026