CVE-2022-0070 HIGH

CVE-2022-0070: Log4j hot patch package privilege escalation

Vendor Amazon Web Services
Product log4j-cve-2021-44228-hotpatch
Weakness CWE-250
Published April 19, 2022
Last update September 17, 2024

CVSS base score

8.8/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Incomplete fix for CVE-2021-3100. The Apache Log4j hotpatch package starting with log4j-cve-2021-44228-hotpatch-1.1-16 will now explicitly mimic the Linux capabilities and cgroups of the target Java process that the hotpatch is applied to.

Key dates

02Disclosure timeline

April 19, 2022 CVE published
September 17, 2024 Record updated