Login Sign Up

CVE-2022-33915

7.0 HIGH

📋 TL;DR

CVE-2022-33915 is a local privilege escalation vulnerability in Amazon AWS Apache Log4j hotpatch packages. It affects systems using AWS hotpatch versions before 1.3.5 to mitigate Log4Shell (CVE-2021-44228). Attackers can exploit a race condition to execute binaries with elevated privileges.

💻 Affected Systems

Products:
  • Amazon AWS Apache Log4j hotpatch package
Versions: Versions before log4j-cve-2021-44228-hotpatch-1.3.5
Operating Systems: Linux systems running AWS hotpatch
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems where AWS Log4j hotpatch is installed as temporary mitigation for CVE-2021-44228.

📦 What is this software?

Hotpatch by Amazon

View all CVEs affecting Hotpatch →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains root privileges on affected system, enabling complete system compromise, data theft, and lateral movement.

🟠

Likely Case

Local user escalates privileges to execute arbitrary code with higher permissions than intended.

🟢

If Mitigated

With proper patching, no privilege escalation is possible through this vector.

🌐 Internet-Facing: LOW - This requires local access to the system, not remote exploitation.
🏢 Internal Only: HIGH - Malicious insiders or compromised accounts with local access can exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access and timing race condition between process path observation and effective user ID check.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: log4j-cve-2021-44228-hotpatch-1.3.5 or later

Vendor Advisory: https://alas.aws.amazon.com/AL2/ALAS-2022-1806.html

Restart Required: No

Instructions:

1. Update AWS hotpatch package to version 1.3.5 or later. 2. Apply the updated hotpatch to running Java processes. 3. Consider full Log4j update to mitigate underlying CVE-2021-44228.

🔧 Temporary Workarounds

Remove AWS hotpatch

linux

Uninstall AWS hotpatch package and apply proper Log4j updates

sudo yum remove log4j-cve-2021-44228-hotpatch
sudo apt-get remove log4j-cve-2021-44228-hotpatch

Restrict local user access

all

Limit local user accounts and implement least privilege

🧯 If You Can't Patch

  • Remove AWS hotpatch package entirely and rely on proper Log4j version updates
  • Implement strict access controls to limit local user privileges and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check installed hotpatch version: rpm -qa | grep log4j-cve-2021-44228-hotpatch or dpkg -l | grep log4j-cve-2021-44228-hotpatch

Check Version:

rpm -q log4j-cve-2021-44228-hotpatch || dpkg -s log4j-cve-2021-44228-hotpatch | grep Version

Verify Fix Applied:

Verify version is 1.3.5 or higher: rpm -q log4j-cve-2021-44228-hotpatch or dpkg -s log4j-cve-2021-44228-hotpatch | grep Version

📡 Detection & Monitoring

Log Indicators:

  • Unusual privilege escalation attempts
  • Suspicious Java process execution patterns
  • Hotpatch script execution errors

Network Indicators:

  • Not applicable - local exploitation only

SIEM Query:

Process execution where parent process is hotpatch script and child process has elevated privileges

📊 Metadata

CVE ID: CVE-2022-33915
CVSS v3 Score: 7.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-362
Published: June 17, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-33915, you might also want to check these:

CVE-2025-43275 9.8

A race condition vulnerability in macOS allows malicious applications to escape their sandbox restri...

Same vulnerability type (CWE-362)
CVE-2021-32810 9.8

A race condition in crossbeam-deque Rust library versions before 0.7.4 and 0.8.0 allows tasks in wor...

Same vulnerability type (CWE-362)
CVE-2025-30444 9.8

A race condition vulnerability in macOS SMB client allows attackers to cause system termination (ker...

Same vulnerability type (CWE-362)