Approach to mitigate CVE-2021-44228 - Amazon EMR

Approach to mitigate CVE-2021-44228

Note

For Amazon EMR release 6.9.0 and later, all components installed by Amazon EMR that use Log4j libraries use Log4j version 2.17.1 or later.

Amazon EMR running on EC2

The issue discussed in CVE-2021-44228 is relevant to Apache Log4j core versions between 2.0.0 and 2.14.1 when processing inputs from untrusted sources. Amazon EMR clusters launched with Amazon EMR 5.x releases up to 5.34.0 and EMR 6.x releases up to Amazon EMR 6.5.0 include open-source frameworks such as Apache Hive, Flink, HUDI, Presto, and Trino, which use these versions of Apache Log4j. However, many customers use the open-source frameworks installed on their Amazon EMR clusters to process and log inputs from untrusted sources.

We recommend that you apply the "Amazon EMR Bootstrap Action Solution for Log4j CVE-2021-44228" as described in the following section. This solution also addresses CVE-2021-45046.

Note

The bootstrap action scripts for Amazon EMR were updated on September 7, 2022 to include incremental bug fixes and improvements for Oozie. If you use Oozie, you should apply the updated Amazon EMR bootstrap action solution described in the following section.

Amazon EMR on EKS

If you use Amazon EMR on EKS with default configuration, you are not impacted by the issue described in CVE-2021-44228, and you do not have to apply the solution described in the Amazon EMR bootstrap action solution for Log4j CVE-2021-44228 & CVE-2021-45046section. For Amazon EMR on EKS, the Amazon EMR runtime for Spark uses Apache Log4j version 1.2.17. When using Amazon EMR on EKS you should not change the default setting for log4j.appender component to log.

Amazon EMR bootstrap action solution for Log4j CVE-2021-44228 & CVE-2021-45046

This solution provides an Amazon EMR bootstrap action that must be applied on your Amazon EMR clusters. For each Amazon EMR release, you will find a link to a bootstrap action script below. To apply this bootstrap action, you should complete the following steps:

  1. Copy the script that corresponds to your Amazon EMR release to a local S3 bucket in your AWS account. Please make sure that you are using a bootstrap script that is specific to your Amazon EMR release.

  2. Set up a bootstrap action for your EMR clusters to run the script copied to your S3 bucket as per instructions described in EMR documentation. If you have other bootstrap actions configured for your EMR clusters, please ensure that this script is set up as the first bootstrap action script to execute.

  3. Terminate existing EMR clusters, and launch new clusters with the bootstrap action script. AWS recommends that you test the bootstrap scripts in your test environment and validate your applications before applying it to your production environment. If you are not using the latest revision for an EMR minor release (for example, 6.3.0), you must use the latest revision (for example, 6.3.1), and then apply the solution discussed above.

CVE-2021-44228 & CVE-2021-45046 - Bootstrap Scripts for Amazon EMR Releases
Amazon EMR release number Script location Script release date
6.5.0
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-6.5.0-v2.sh
March 24, 2022
6.4.0
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-6.4.0-v2.sh
March 24, 2022
6.3.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-6.3.1-v2.sh
March 24, 2022
6.2.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-6.2.1-v2.sh
March 24, 2022
6.1.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-6.1.1-v2.sh
December 14, 2021
6.0.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-6.0.1-v2.sh
December 14, 2021
5.34.0
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.34.0-v2.sh
December 12, 2021
5.33.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.33.1-v2.sh
December 12, 2021
5.32.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.32.1-v2.sh
December 13, 2021
5.31.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.31.1-v2.sh
December 13, 2021
5.30.2
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.30.2-v2.sh
December 14, 2021
5.29.0
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.29.0-v2.sh
December 14, 2021
5.28.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.28.1-v2.sh
December 15, 2021
5.27.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.27.1-v2.sh
December 15, 2021
5.26.0
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.26.0-v2.sh
December 15, 2021
5.25.0
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.25.0-v2.sh
December 15, 2021
5.24.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.24.1-v2.sh
December 15, 2021
5.23.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.23.1-v2.sh
December 15, 2021
5.22.0
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.22.0-v2.sh
December 15, 2021
5.21.2
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.21.2-v2.sh
December 15, 2021
5.20.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.20.1-v2.sh
December 15, 2021
5.19.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.19.1-v2.sh
December 15, 2021
5.18.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.18.1-v2.sh
December 15, 2021
5.17.2
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.17.2-v2.sh
December 15, 2021
5.16.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.16.1-v2.sh
December 15, 2021
5.15.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.15.1-v2.sh
December 15, 2021
5.14.2
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.14.2-v2.sh
December 15, 2021
5.13.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.13.1-v2.sh
December 15, 2021
5.12.3
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.12.3-v2.sh
December 15, 2021
5.11.4
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.11.4-v2.sh
December 15, 2021
5.10.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.10.1-v2.sh
December 15, 2021
5.9.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.9.1-v2.sh
December 15, 2021
5.8.3
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.8.3-v2.sh
December 15, 2021
5.7.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.7.1-v2.sh
December 15, 2021
EMR release version Latest revision as of December 2021
6.3.0 6.3.1
6.2.0 6.2.1
6.1.0 6.1.1
6.0.0 6.0.1
5.33.0 5.33.1
5.32.0 5.32.1
5.31.0 5.31.1
5.30.0 or 5.30.1 5.30.2
5.28.0 5.28.1
5.27.0 5.27.1
5.24.0 5.24.1
5.23.0 5.23.1
5.21.0 or 5.21.1 5.21.2
5.20.0 5.20.1
5.19.0 5.19.1
5.18.0 5.18.1
5.17.0 or 5.17.1 5.17.2
5.16.0 5.16.1
5.15.0 5.15.1
5.14.0 or 5.14.1 5.14.2
5.13.0 5.13.1
5.12.0, 5.12.1, 5.12.2 5.12.3
5.11.0, 5.11.1, 5.11.2, 5.11.3 5.11.4
5.9.0 5.9.1
5.8.0, 5.8.1, 5.8.2 5.8.3
5.7.0 5.7.1

Frequently asked questions

  • Are EMR releases older than EMR 5 impacted by CVE-2021-44228?

    No. EMR releases prior to EMR release 5 use Log4j versions older than 2.0.

  • Does this solution address CVE-2021-45046?

    Yes, this solution also addresses CVE-2021-45046.

  • Does the solution handle custom applications that I install on my EMR clusters?

    The bootstrap script only updates JAR files that are installed by EMR. If you install and run custom applications and JAR files on your EMR clusters through bootstrap actions, as steps submitted to your clusters, by using custom Amazon Linux AMI, or through any other mechanism, please work with your application vendor to determine if your custom applications are impacted by CVE-2021- 44228, and determine an appropriate solution.

  • How should I handle customized docker images with EMR on EKS?

    If you add custom applications to Amazon EMR on EKS using customized docker images or submit jobs to Amazon EMR on EKSwith custom application files, please work with the application vendor to determine if your custom applications are impacted by CVE-2021-44228, and determine an appropriate solution.

  • How does the bootstrap script work to mitigate the issue described in CVE-2021-44228 and CVE-2021-45046?

    The bootstrap script updates EMR startup instructions by adding a new set of instructions. These new instructions delete the JndiLookup class files used through Log4j by all open source frameworks installed by EMR. This follows the recommendation published by Apache for addressing the Log4j issues.

  • Is there an update to EMR that uses Log4j versions 2.17.1 or higher?

    EMR 5 releases up to release 5.34 and EMR 6 releases up to release 6.5 use older versions of open source frameworks that are incompatible with the latest versions of Log4j. If you continue to use these releases, we recommend that you apply the bootstrap action to mitigate the issues discussed in the CVEs. After EMR 5 release 5.34 and EMR 6 release 6.5, applications that use Log4j 1.x and Log4j 2.x will be upgraded to use Log4j 1.2.17 (or higher) and Log4j 2.17.1 (or higher) respectively, and will not require using the bootstrap actions provided above to mitigate the CVE issues.

  • Are EMR releases impacted by CVE-2021-45105?

    The applications installed by Amazon EMR with EMR’s default configurations are not impacted by CVE-2021-45105. Among applications installed by Amazon EMR, only Apache Hive uses Apache Log4j with context lookups, and it does not use non-default pattern layout in a manner that allows inappropriate input data to be processed.

  • Is Amazon EMR impacted by any of the following CVE disclosures?

    The following table contains a list of CVEs that are related to Log4j and notes whether each CVE impacts Amazon EMR. The information in this table only applies when applications are installed by Amazon EMR using the default configurations.

    CVE Impacts EMR Notes
    CVE-2022-23302 No Amazon EMR does not set up Log4j JMSSink
    CVE-2022-23305 No Amazon EMR does not set up Log4j JDBCAppender
    CVE-2022-23307 No Amazon EMR does not set up Log4j Chainsaw
    CVE-2020-9493 No Amazon EMR does not set up Log4j Chainsaw
    CVE-2021-44832 No Amazon EMR does not set up Log4j JDBCAppender with a JNDI connection string
    CVE-2021-4104 No Amazon EMR does not use Log4j JMSAppender
    CVE-2020-9488 No The applications that are installed by Amazon EMR do not use Log4j SMTPAppender
    CVE-2019-17571 No Amazon EMR blocks public access to clusters and does not launch SocketServer
    CVE-2019-17531 No We recommend that you upgrade to the latest Amazon EMR release version. Amazon EMR 5.33.0 and later use jackson-databind 2.6.7.4 or later, and EMR 6.1.0 and later use jackson-databind 2.10.0 or later. These versions of jackson-databind are not impacted by the CVE.