CVE-2022-0070 Incomplete fix for CVE-2021-3100

CVE-2022-0070 Incomplete fix for CVE-2021-3100

This will ensure that the target JVMs are isolated from each other and that the hotpatch cannot be applied to a process that is already vulnerable to a different type of vulnerability. For example, this change will prevent a hotpatch from being applied to a target JVM that is already exploited via a different path such as RCE or XXE. The hotpatch will now be applied to all new Java processes, regardless of the path they are exploited through. In addition, the hotpatch now consumes its own log4j.properties file, rather than using the original non-hotpatch log4j.properties file. This will ensure that the hotpatching log4j.properties file is not included in an exploit chain and therefore cannot be used to determine whether or if a target Java process is already vulnerable to a certain type of vulnerability.

New Logging Configuration Files

The new logging configuration files for the hotpatch can be found in the "target" and "host" folders of the patch. The following example shows how to configure the log4j.properties file for a target Java process:
log4j.appender.A1=org.apache.logging.log4j.DailyRollingFileAppender
log4j.appender.A1.

List of changes in Java 9 Update 67

This will ensure that the target JVMs are isolated from each other and that the hotpatch cannot be applied to a process that is already vulnerable to a different type of vulnerability. For example, this change will prevent a hotpatch from being applied to a target JVM that is already exploited via a different path such as RCE or XXE. The hotpatch will now be applied to all new Java processes, regardless of the path they are exploited through. In addition, the hotpatch now consumes its own log4j.properties file, rather than using the original non-hotpatch log4j.properties file. This will ensure that the hotpatching log4j.properties file is not included in an exploit chain and therefore cannot be used to determine whether or if a target Java process is already vulnerable to a certain type of vulnerability.

Further Reading

For more information on this issue and how to resolve it, please refer to the following article: "CVE-2022-0070: Hotpatching of Java Processes Using Log4j.properties File"

Security vulnerabilities in the Java Runtime Environment (JRE) have been a problem since its release nine years ago. In response, Oracle has introduced the Hot Patch technique to prevent exploitation of JRE vulnerabilities. This blog post discusses how hotpatching affects target processes that are already vulnerable to a different type of vulnerability and how the change addresses this issue.
The hotpatch technique has been introduced as part of CVE-2022-0070. This is a security vulnerability that requires an update for the Java Runtime Environment (JRE) or the Java Development Kit (JDK).
A brief description of CVE-2022-0070 from Oracle's website is as follows: "This will ensure that the target JVMs are isolated from each other and that the hotpatch cannot be applied to a process that is already vulnerable to a different type of vulnerability. For example, this change will prevent a hotpatch from being applied to a target JVM that is already exploited via a different path such as RCE or XXE."
Oracle also states in their document that "The hotfix will now be applied to all new Java processes, regardless of the path they are exploited through." The change no longer allows for targeting specific processes with a hot patch since any process can

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe