AWS Open Source Blog
Hotpatch for Apache Log4j
CVE-2021-44228 has made for a busy weekend trying to patch or mitigate the vulnerability in a pervasively used open source logging platform, Apache Log4j.
We recommend that those running affected applications upgrade Log4j to version 2.16 to address this vulnerability. However, this isn’t always quick, so folks from the Coretto team spent some time building a tool to hotpatch vulnerable log4j deployments. This tool is designed to hotpatch a running JVM using any Log4j 2.0+. The tool is idempotent, meaning that you can run this multiple times on the same JVM without changing the result past the initial application. This tool also looks for all the running JVMs and attempts to mitigate the vulnerability. You can also use this to patch shaded jars that include log4j as a dependency, and to patch multiple log4j instances on the classpath.
How does it work?
This tool injects a Java agent into a running JVM process. The agent attempts to patch the lookup() method of all loaded org.apache.logging.log4j.core.lookup.JndiLookup instances to unconditionally return the string “Patched JndiLookup::lookup()”. This is designed to address the CVE-2021-44228 remote code execution vulnerability in Log4j without restarting the Java process.
If you have the possibility of redeploying your Java processes, you can also use it as a static agent, meaning that you can include this patch in your runtime without directly logging in to your servers. Both of these modes of operation are described in the README.
Great – where can I get it?
This tool is available on GitHub today.
Caveats
So, as with all open source software, you’re using this at your own risk. Note that Hotpatch has been tested with JDK8 and JDK11 on Linux. On JDK17, only the static agent mode works. A full list of caveats can be found in the README.
Conclusion
This vulnerability is severe and due to the widespread adoption of Apache Log4j, its impact is large. We highly encourage you to review, patch, or mitigate this vulnerability. This tool may help you mitigate the risk when updating is not immediately possible.
Finally, thanks to the Corretto team for spending days, nights, and the weekend to write, harden, and ship this code.
Update as of December 14, 2021, 10:18PM GMT: This tool also addresses CVE-2021-45046 in addition to the original CVE-2021-44228. We continue to update the README and implement a host of new improvements for the tool. Thank you to the open source community for the ongoing feedback and encouragement.