Approach to mitigate CVE-2021-44228 - Amazon EMR

Approach to mitigate CVE-2021-44228

Amazon EMR running on EC2

The issue discussed in CVE-2021-44228 is relevant to Apache log4j- core versions between 2.0 and 2.14.1 when processing inputs from untrusted sources. EMR clusters launched with EMR 5 releases up to 5.34 and EMR 6 releases up to EMR 6.5 include open source frameworks such as Apache Hive, Flink, HUDI, Presto, and Trino, which use these versions of Apache Log4j. However, many customers use the open source frameworks installed on their EMR clusters to process and log inputs from untrusted sources. Therefore, AWS recommends that you apply the "EMR Bootstrap Action Solution for Log4j CVE-2021-44228" as described in the subsequent section. This solution also addresses CVE-2021-45046.

Amazon EMR on EKS

In case you use Amazon EMR on EKS with default configuration, you are not impacted by the issue described in CVE-2021-44228, and you do not have to apply the solution described below under "EMR Bootstrap Action Solution for Log4j CVE- 2021-44228". For EMR on EKS, the EMR Runtime for Spark uses Apache Log4j version 1.2.17. When using Amazon EMR on EKS you should not change EMR's default setting for log4j.appender.<component to log>.

EMR bootstrap action solution for Log4j CVE-2021-44228 & CVE-2021-45046

This solution provides an EMR bootstrap action that must be applied on your EMR clusters. For each EMR release, you will find a link to a bootstrap action script below. To apply this bootstrap action, you should complete the following steps:

  1. Copy the script that corresponds to your EMR release to a local S3 bucket in your AWS account. Please make sure that you are using a bootstrap script that is specific to your EMR release.

  2. Set up a bootstrap action for your EMR clusters to run the script copied to your S3 bucket as per instructions described in EMR documentation. If you have other bootstrap actions configured for your EMR clusters, please ensure that this script is set up as the first bootstrap action script to execute.

  3. Terminate existing EMR clusters, and launch new clusters with the bootstrap action script. AWS recommends that you test the bootstrap scripts in your test environment and validate your applications before applying it to your production environment. If you are not using the latest revision for an EMR minor release (for example, 6.3.0), you must use the latest revision (for example, 6.3.1), and then apply the solution discussed above.

CVE-2021-44228 & CVE-2021-45046 - Bootstrap Scripts for EMR Releases
Amazon EMR release version Script location Script release date
6.5.0
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-6.5.0-v1.sh
December 12, 2021
6.4.0
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-6.4.0-v1.sh
December 12, 2021
6.3.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-6.3.1-v1.sh
December 13, 2021
6.2.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-6.2.1-v1.sh
December 13, 2021
6.1.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-6.1.1-v1.sh
December 14, 2021
6.0.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-6.0.1-v1.sh
December 14, 2021
5.34.0
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.34.0-v1.sh
December 12, 2021
5.33.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.33.1-v1.sh
December 12, 2021
5.32.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.32.1-v1.sh
December 13, 2021
5.31.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.31.1-v1.sh
December 13, 2021
5.30.2
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.30.2-v1.sh
December 14, 2021
5.29.0
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.29.0-v1.sh
December 14, 2021
5.28.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.28.1-v1.sh
December 15, 2021
5.27.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.27.1-v1.sh
December 15, 2021
5.26.0
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.26.0-v1.sh
December 15, 2021
5.25.0
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.25.0-v1.sh
December 15, 2021
5.24.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.24.1-v1.sh
December 15, 2021
5.23.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.23.1-v1.sh
December 15, 2021
5.22.0
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.22.0-v1.sh
December 15, 2021
5.21.2
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.21.2-v1.sh
December 15, 2021
5.20.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.20.1-v1.sh
December 15, 2021
5.19.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.19.1-v1.sh
December 15, 2021
5.18.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.18.1-v1.sh
December 15, 2021
5.17.2
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.17.2-v1.sh
December 15, 2021
5.16.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.16.1-v1.sh
December 15, 2021
5.15.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.15.1-v1.sh
December 15, 2021
5.14.2
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.14.2-v1.sh
December 15, 2021
5.13.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.13.1-v1.sh
December 15, 2021
5.12.3
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.12.3-v1.sh
December 15, 2021
5.11.4
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.11.4-v1.sh
December 15, 2021
5.10.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.10.1-v1.sh
December 15, 2021
5.9.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.9.1-v1.sh
December 15, 2021
5.8.3
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.8.3-v1.sh
December 15, 2021
5.7.1
s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.7.1-v1.sh
December 15, 2021
EMR release version Latest revision as of December 2021
6.3.0 6.3.1
6.2.0 6.2.1
6.1.0 6.1.1
6.0.0 6.0.1
5.33.0 5.33.1
5.32.0 5.32.1
5.31.0 5.31.1
5.30.0 or 5.30.1 5.30.2
5.28.0 5.28.1
5.27.0 5.27.1
5.24.0 5.24.1
5.23.0 5.23.1
5.21.0 or 5.21.1 5.21.2
5.20.0 5.20.1
5.19.0 5.19.1
5.18.0 5.18.1
5.17.0 or 5.17.1 5.17.2
5.16.0 5.16.1
5.15.0 5.15.1
5.14.0 or 5.14.1 5.14.2
5.13.0 5.13.1
5.12.0, 5.12.1, 5.12.2 5.12.3
5.11.0, 5.11.1, 5.11.2, 5.11.3 5.11.4
5.9.0 5.9.1
5.8.0, 5.8.1, 5.8.2 5.8.3
5.7.0 5.7.1

Frequently asked questions

  1. Are EMR releases older than EMR 5 impacted by CVE-2021-44228?

    No. EMR releases prior to EMR release 5 use Log4j versions older than 2.0.

  2. Does this solution address CVE-2021-45046?

    Yes, this solution also addresses CVE-2021-45046.

  3. Does the solution handle custom applications that I install on my EMR clusters?

    The bootstrap script only updates JAR files that are installed by EMR. If you install and run custom applications and JAR files on your EMR clusters through bootstrap actions, as steps submitted to your clusters, by using custom Amazon Linux AMI, or through any other mechanism, please work with your application vendor to determine if your custom applications are impacted by CVE-2021- 44228, and determine an appropriate solution.

  4. How should I handle customized docker images with EMR on EKS?

    If you add custom applications to Amazon EMR on EKS using customized docker images or submit jobs to Amazon EMR on EKSwith custom application files, please work with the application vendor to determine if your custom applications are impacted by CVE-2021-44228, and determine an appropriate solution.

  5. How does the bootstrap script work to mitigate the issue described in CVE-2021-44228 and CVE-2021-45046?

    The bootstrap script updates EMR startup instructions by adding a new set of instructions. These new instructions delete the JndiLookup class files used through Log4j by all open source frameworks installed by EMR. This follows the recommendation published by Apache for addressing the Log4j issues.

  6. Is there an update to EMR that uses Log4j versions 2.17.1 or higher?

    EMR 5 releases up to release 5.34 and EMR 6 releases up to release 6.5 use older versions of open source frameworks that are incompatible with the latest versions of Log4j. If you continue to use these releases, we recommend that you apply the bootstrap action to mitigate the issues discussed in the CVEs. After EMR 5 release 5.34 and EMR 6 release 6.5, applications that use Log4j 1.x and Log4j 2.x will be upgraded to use Log4j 1.2.17 (or higher) and Log4j 2.17.1 (or higher) respectively, and will not require using the bootstrap actions provided above to mitigate the CVE issues.

  7. Are EMR releases impacted by CVE-2021-45105?

    The applications installed by Amazon EMR with EMR’s default configurations are not impacted by CVE-2021-45105. Among applications installed by Amazon EMR, only Apache Hive uses Apache Log4j with context lookups, and it does not use non-default pattern layout in a manner that allows inappropriate input data to be processed.