How to quickly check AWS Lambdas with Log4j2 library-CodePudding

In an environment which have more than 100 Lambda functions using Java 8 runtime, how can I quickly check if any of Lambda is using a Log4j 2 vulnerable version?

CodePudding user response：

It is most likely that AWS has already got you covered.

From https://aws.amazon.com/security/security-bulletins/AWS-2021-006/:

AWS Lambda

AWS Lambda does not include Log4j2 in its managed runtimes or base container images. These are therefore not affected by the issue described in CVE-2021-44228 and CVE-2021-45046.

For cases where a customer function includes an impacted Log4j2 version, we have applied a change to the Lambda Java managed runtimes and base container images (Java 8, Java 8 on AL2, and Java 11) that helps to mitigate the issues in CVE-2021-44228 and CVE-2021-45046. Customers using managed runtimes will have the change applied automatically.

Customers using container images will need to rebuild from the latest base container image, and redeploy.

Independent of this change, we strongly encourage all customers whose functions include Log4j2 to update to the latest version. Specifically, customers using the aws-lambda-java-log4j2 library in their functions should update to version 1.4.0 and redeploy their functions. This version updates the underlying Log4j2 utility dependencies to version 2.16.0. The updated aws-lambda-java-log4j2 binary is available at the Maven repository and its source code is available in Github.

CodePudding user response：

It will be much easier to examine your build scripts and their output, but assuming that you can't do that ...

To check your existing functions, you'll need to download the function code. If you run aws lambda get-function you should see a Code element, with a URL that points to an AWS server (for example, prod-04-2014-tasks.s3.us-east-1.amazonaws.com). This is a public URL, and you can use wget or curl to download the Lambda's deployment bundle from it.

Then, unpack the deployment bundle. If it contains JAR files, simply look for the presence of a vulnerable Log4J version.

If, however, it's an "uberjar", which just contains classfiles, then you'll need to look at the date on the file MessagePatternConverter.class. If it's before 2021-12-05 then you are vulnerable. Look for a date of 2021-12-20 to get the latest version (2.17.0).