Ensure Kubernetes hot-patch daemonset for Log4j2 is applied

HIGH

Description

HotPatch Daemonset version 1.1-12 for AWS kubernetes clusters released for Log4Shell is vulnerable to container escape and reverse shell.

Remediation

AWS has provided two method to patch this vulnerability. The first is by using the yaml example provided, and the more recent method is an RPM that updates JVM installs. For more information, follow the documentation provided below.

References:
https://github.com/aws-samples/kubernetes-log4j-cve-2021-44228-node-agent
https://github.com/corretto/hotpatch-for-apache-log4j2

Policy Details

Rule Reference ID: AC_K8S_0126
Remediation Available: No
Resource Category: Management
Resource Type: Daemonset

Frameworks