Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Removal of log4j hotpatch (log4j-cve-2021-44228-hotpatch)

PDF
RSS
Focus mode
Removal of log4j hotpatch (log4j-cve-2021-44228-hotpatch) - Amazon Linux 2023
Note

AL2023 doesn't ship with the log4j-cve-2021-44228-hotpatch package.

In response to CVE-2021-44228, Amazon Linux released an RPM packaged version of the Hotpatch for Apache Log4j for AL1 and AL2. In the announcement of the addition of the hotpatch to Amazon Linux we noted that "Installing the hotpatch is not a replacement for updating to a log4j version that mitigates CVE-2021-44228 or CVE-2021-45046.".

The hotpatch was a mitigation to allow time to patch log4j. The first General Availability (GA) release of AL2023 was 15 months after CVE-2021-44228, thus AL2023 doesn't ship with the hotpatch (enabled or not).

Users running their own log4j versions on Amazon Linux should ensure that they have updated to versions not affected by CVE-2021-44228 or CVE-2021-45046.

AL2023 provides guidance on Updating AL2023 so that you can keep up to date with security patches. Security advisories are published on the Amazon Linux Security Center.

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.