Removal of log4j hotpatch (`log4j-cve-2021-44228-hotpatch`)

Note

AL2023 doesn't ship with the log4j-cve-2021-44228-hotpatch package.

In response to CVE-2021-44228, Amazon Linux released an RPM packaged version of the Hotpatch for Apache Log4j for AL1 and AL2. In the announcement of the addition of the hotpatch to Amazon Linux we noted that "Installing the hotpatch is not a replacement for updating to a log4j version that mitigates CVE-2021-44228 or CVE-2021-45046.".

The hotpatch was a mitigation to allow time to patch log4j. The first General Availability (GA) release of AL2023 was 15 months after CVE-2021-44228, thus AL2023 doesn't ship with the hotpatch (enabled or not).

Users running their own log4j versions on Amazon Linux should ensure that they have updated to versions not affected by CVE-2021-44228 or CVE-2021-45046.

AL2023 provides guidance on Updating AL2023 so that you can keep up to date with security patches. Security advisories are published on the Amazon Linux Security Center.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

IMDSv2

Deterministic upgrades for stability

Removal of log4j hotpatch (log4j-cve-2021-44228-hotpatch)

Note

Removal of log4j hotpatch (`log4j-cve-2021-44228-hotpatch`)