CVE-2021-3100 – CVE-2021-3100 is a privilege escalation vulnera... (How to Fix)

Q: What is the severity of CVE-2021-3100?

CVE-2021-3100 has a CVSS score of 8.8 (HIGH). CVE-2021-3100 is a privilege escalation vulnerability in AWS's Apache Log4j hotpatch package. It allows attackers to gain elevated permissions by exploiting improper permission handling during the hotpatch process. This affects AWS users who deployed the vulnerable hotpatch to mitigate Log4Shell (CVE-2021-44228).

📋 TL;DR

CVE-2021-3100 is a privilege escalation vulnerability in AWS's Apache Log4j hotpatch package. It allows attackers to gain elevated permissions by exploiting improper permission handling during the hotpatch process. This affects AWS users who deployed the vulnerable hotpatch to mitigate Log4Shell (CVE-2021-44228).

💻 Affected Systems

Products:

AWS Apache Log4j Hotpatch Package

Versions: Versions before log4j-cve-2021-44228-hotpatch-1.1-13

Operating Systems: Amazon Linux 2, Amazon Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where the AWS Log4j hotpatch was deployed to mitigate CVE-2021-44228. Systems using other Log4j mitigation methods are not affected.

📦 What is this software?

Log4jhotpatch by Amazon

View all CVEs affecting Log4jhotpatch →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root/administrator privileges, allowing complete control over affected systems and potential lateral movement across the environment.

🟠

Likely Case

Privilege escalation from lower-privileged user to root/administrator on systems running the vulnerable hotpatch, enabling further exploitation.

🟢

If Mitigated

Limited impact with proper access controls and monitoring, though privilege escalation remains possible if the vulnerability is exploited.

🌐 Internet-Facing: MEDIUM - Exploitation requires initial access to the system, but internet-facing systems with the hotpatch could be targeted after other vulnerabilities are exploited.

🏢 Internal Only: HIGH - Internal systems with the vulnerable hotpatch are at significant risk if attackers gain initial foothold through other means.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires existing access to the system (local or remote shell). The vulnerability is in the hotpatch mechanism itself, making exploitation straightforward for attackers with initial access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: log4j-cve-2021-44228-hotpatch-1.1-13 or later

Vendor Advisory: https://alas.aws.amazon.com/AL2/ALAS-2021-1732.html

Restart Required: No

Instructions:

1. Update the hotpatch package: 'sudo yum update log4j-cve-2021-44228-hotpatch' 2. Verify the update completed successfully 3. No restart required as this is a hotpatch update

🔧 Temporary Workarounds

Remove vulnerable hotpatch

linux

Uninstall the vulnerable hotpatch package and use alternative Log4j mitigation methods

sudo yum remove log4j-cve-2021-44228-hotpatch

Apply proper permissions

linux

Manually set correct permissions on hotpatch files to match JVM permissions

sudo chmod 755 /usr/share/log4j-hotpatch/*
sudo chown root:root /usr/share/log4j-hotpatch/*

🧯 If You Can't Patch

Remove the hotpatch entirely and use Log4j version 2.17.0+ or apply JVM parameter mitigation (-Dlog4j2.formatMsgNoLookups=true)
Implement strict access controls and monitoring on systems with the vulnerable hotpatch, limiting who can execute processes

🔍 How to Verify

Check if Vulnerable:

Check hotpatch version: 'rpm -q log4j-cve-2021-44228-hotpatch' - if version is earlier than 1.1-13, system is vulnerable

Check Version:

rpm -q log4j-cve-2021-44228-hotpatch

Verify Fix Applied:

Verify updated version: 'rpm -q log4j-cve-2021-44228-hotpatch' should show version 1.1-13 or later

📡 Detection & Monitoring

Log Indicators:

Unauthorized privilege escalation attempts
Execution of hotpatch processes with unexpected permissions
System logs showing user privilege changes

Network Indicators:

Unusual outbound connections from systems with the hotpatch
Lateral movement attempts from affected systems

SIEM Query:

process.name:"log4j-hotpatch" AND user.name NOT IN ("root", "system")

📊 Metadata

CVE ID: CVE-2021-3100

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-250

Published: April 19, 2022

Last Updated: November 21, 2024

🔗 References

https://alas.aws.amazon.com/AL2/ALAS-2021-1732.html Vendor Advisory
https://alas.aws.amazon.com/ALAS-2021-1554.html Vendor Advisory
https://unit42.paloaltonetworks.com/aws-log4shell-hot-patch-vulnerabilities Exploit,Third Party Advisory
https://alas.aws.amazon.com/AL2/ALAS-2021-1732.html Vendor Advisory
https://alas.aws.amazon.com/ALAS-2021-1554.html Vendor Advisory
https://unit42.paloaltonetworks.com/aws-log4shell-hot-patch-vulnerabilities Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3100, you might also want to check these: