The disclosure of CVE-2021-44228 (Log4Shell), a remote code execution (RCE) vulnerability residing in Apache Log4j 2, has put thousands of products at risk of exploitation. Some of these products include services provided by common cloud service providers (CSPs), leaving CSP customers vulnerable to remote code execution and prompting rapid update deployments from Google, Microsoft, and Amazon, among other providers.
Of the main 3 CSPs, AWS services currently appear to be the most susceptible to this vulnerability, based on a recently published update demonstrating that at least 13 AWS services are susceptible to CVE-2021-44228. While some of these issues have been resolved server-side, some AWS infrastructure is still awaiting patching, and other mitigations or workarounds must be applied by the client in order to secure AWS deployments using log4j 2.
A similar advisory was released by Google, stating that 4 services are known to be vulnerable to CVE-2021-44228; however, Google is addressing these issues server-side, with some services already patched and others being investigated. Additionally, Google noted that Cloud Armor and Cloud IDS services offered by Google have been updated with rules that aim to identify threat actors’ attempts to exploit CVE-2021-44228. Reports from Microsoft demonstrate that Azure services are, at the time of writing, unaffected by this vulnerability.
Other popular CSPs or entities that provide products commonly used with cloud services, such as IBM and Docker, have reported that multiple services and products are vulnerable to CVE-2021-44228, and are following remediation efforts similar to those described above. At this point, many cloud providers are still attempting to identify server-side vulnerabilities in their products and services, and it is likely that future security bulletins will be released with further client-side recommendations and mitigations. At this time, all sources are suggesting that users update log4j 2 to version 2.15 as soon as possible.