Amazon EMR bootstrap action solution for Log4j CVE-2021-44228 & CVE-2021-45046 Frequently asked questions

Approach to mitigate CVE-2021-44228

Note

For Amazon EMR release 6.9.0 and later, all components installed by Amazon EMR that use Log4j libraries use Log4j version 2.17.1 or later.

Amazon EMR running on EC2

The issue discussed in CVE-2021-44228 is relevant to Apache Log4j core versions between 2.0.0 and 2.14.1 when processing inputs from untrusted sources. Amazon EMR clusters launched with Amazon EMR 5.x releases up to 5.34.0 and EMR 6.x releases up to Amazon EMR 6.5.0 include open-source frameworks such as Apache Hive, Flink, HUDI, Presto, and Trino, which use these versions of Apache Log4j. However, many customers use the open-source frameworks installed on their Amazon EMR clusters to process and log inputs from untrusted sources.

We recommend that you apply the "Amazon EMR Bootstrap Action Solution for Log4j CVE-2021-44228" as described in the following section. This solution also addresses CVE-2021-45046.

Note

The bootstrap action scripts for Amazon EMR were updated on September 7, 2022 to include incremental bug fixes and improvements for Oozie. If you use Oozie, you should apply the updated Amazon EMR bootstrap action solution described in the following section.

Amazon EMR on EKS

If you use Amazon EMR on EKS with default configuration, you are not impacted by the issue described in CVE-2021-44228, and you do not have to apply the solution described in the Amazon EMR bootstrap action solution for Log4j CVE-2021-44228 & CVE-2021-45046section. For Amazon EMR on EKS, the Amazon EMR runtime for Spark uses Apache Log4j version 1.2.17. When using Amazon EMR on EKS you should not change the default setting for log4j.appender component to log.

Amazon EMR bootstrap action solution for Log4j CVE-2021-44228 & CVE-2021-45046

This solution provides an Amazon EMR bootstrap action that must be applied on your Amazon EMR clusters. For each Amazon EMR release, you will find a link to a bootstrap action script below. To apply this bootstrap action, you should complete the following steps:

Copy the script that corresponds to your Amazon EMR release to a local S3 bucket in your Amazon Web Services account. Please make sure that you are using a bootstrap script that is specific to your Amazon EMR release.
Set up a bootstrap action for your EMR clusters to run the script copied to your S3 bucket as per instructions described in EMR documentation. If you have other bootstrap actions configured for your EMR clusters, please ensure that this script is set up as the first bootstrap action script to execute.
Terminate existing EMR clusters, and launch new clusters with the bootstrap action script. Amazon recommends that you test the bootstrap scripts in your test environment and validate your applications before applying it to your production environment. If you are not using the latest revision for an EMR minor release (for example, 6.3.0), you must use the latest revision (for example, 6.3.1), and then apply the solution discussed above.

CVE-2021-44228 & CVE-2021-45046 - Bootstrap Scripts for Amazon EMR Releases
Amazon EMR release number	Script location	Script release date
6.5.0	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-6.5.0-v2.sh`	March 24, 2022
6.4.0	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-6.4.0-v2.sh`	March 24, 2022
6.3.1	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-6.3.1-v2.sh`	March 24, 2022
6.2.1	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-6.2.1-v2.sh`	March 24, 2022
6.1.1	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-6.1.1-v2.sh`	December 14, 2021
6.0.1	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-6.0.1-v2.sh`	December 14, 2021
5.34.0	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.34.0-v2.sh`	December 12, 2021
5.33.1	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.33.1-v2.sh`	December 12, 2021
5.32.1	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.32.1-v2.sh`	December 13, 2021
5.31.1	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.31.1-v2.sh`	December 13, 2021
5.30.2	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.30.2-v2.sh`	December 14, 2021
5.29.0	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.29.0-v2.sh`	December 14, 2021
5.28.1	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.28.1-v2.sh`	December 15, 2021
5.27.1	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.27.1-v2.sh`	December 15, 2021
5.26.0	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.26.0-v2.sh`	December 15, 2021
5.25.0	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.25.0-v2.sh`	December 15, 2021
5.24.1	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.24.1-v2.sh`	December 15, 2021
5.23.1	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.23.1-v2.sh`	December 15, 2021
5.22.0	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.22.0-v2.sh`	December 15, 2021
5.21.2	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.21.2-v2.sh`	December 15, 2021
5.20.1	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.20.1-v2.sh`	December 15, 2021
5.19.1	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.19.1-v2.sh`	December 15, 2021
5.18.1	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.18.1-v2.sh`	December 15, 2021
5.17.2	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.17.2-v2.sh`	December 15, 2021
5.16.1	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.16.1-v2.sh`	December 15, 2021
5.15.1	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.15.1-v2.sh`	December 15, 2021
5.14.2	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.14.2-v2.sh`	December 15, 2021
5.13.1	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.13.1-v2.sh`	December 15, 2021
5.12.3	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.12.3-v2.sh`	December 15, 2021
5.11.4	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.11.4-v2.sh`	December 15, 2021
5.10.1	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.10.1-v2.sh`	December 15, 2021
5.9.1	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.9.1-v2.sh`	December 15, 2021
5.8.3	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.8.3-v2.sh`	December 15, 2021
5.7.1	`s3://elasticmapreduce/bootstrap-actions/log4j/patch-log4j-emr-5.7.1-v2.sh`	December 15, 2021

EMR release version	Latest revision as of December 2021
6.3.0	6.3.1
6.2.0	6.2.1
6.1.0	6.1.1
6.0.0	6.0.1
5.33.0	5.33.1
5.32.0	5.32.1
5.31.0	5.31.1
5.30.0 or 5.30.1	5.30.2
5.28.0	5.28.1
5.27.0	5.27.1
5.24.0	5.24.1
5.23.0	5.23.1
5.21.0 or 5.21.1	5.21.2
5.20.0	5.20.1
5.19.0	5.19.1
5.18.0	5.18.1
5.17.0 or 5.17.1	5.17.2
5.16.0	5.16.1
5.15.0	5.15.1
5.14.0 or 5.14.1	5.14.2
5.13.0	5.13.1
5.12.0, 5.12.1, 5.12.2	5.12.3
5.11.0, 5.11.1, 5.11.2, 5.11.3	5.11.4
5.9.0	5.9.1
5.8.0, 5.8.1, 5.8.2	5.8.3
5.7.0	5.7.1

Frequently asked questions

Are EMR releases older than EMR 5 impacted by CVE-2021-44228?

No. EMR releases prior to EMR release 5 use Log4j versions older than 2.0.
Does this solution address CVE-2021-45046?

Yes, this solution also addresses CVE-2021-45046.
Does the solution handle custom applications that I install on my EMR clusters?

The bootstrap script only updates JAR files that are installed by EMR. If you install and run custom applications and JAR files on your EMR clusters through bootstrap actions, as steps submitted to your clusters, by using custom Amazon Linux AMI, or through any other mechanism, please work with your application vendor to determine if your custom applications are impacted by CVE-2021- 44228, and determine an appropriate solution.
How should I handle customized docker images with EMR on EKS?

If you add custom applications to Amazon EMR on EKS using customized docker images or submit jobs to Amazon EMR on EKSwith custom application files, please work with the application vendor to determine if your custom applications are impacted by CVE-2021-44228, and determine an appropriate solution.
How does the bootstrap script work to mitigate the issue described in CVE-2021-44228 and CVE-2021-45046?

The bootstrap script updates EMR startup instructions by adding a new set of instructions. These new instructions delete the JndiLookup class files used through Log4j by all open source frameworks installed by EMR. This follows the recommendation published by Apache for addressing the Log4j issues.
Is there an update to EMR that uses Log4j versions 2.17.1 or higher?

EMR 5 releases up to release 5.34 and EMR 6 releases up to release 6.5 use older versions of open source frameworks that are incompatible with the latest versions of Log4j. If you continue to use these releases, we recommend that you apply the bootstrap action to mitigate the issues discussed in the CVEs. After EMR 5 release 5.34 and EMR 6 release 6.5, applications that use Log4j 1.x and Log4j 2.x will be upgraded to use Log4j 1.2.17 (or higher) and Log4j 2.17.1 (or higher) respectively, and will not require using the bootstrap actions provided above to mitigate the CVE issues.
Are EMR releases impacted by CVE-2021-45105?

The applications installed by Amazon EMR with EMR’s default configurations are not impacted by CVE-2021-45105. Among applications installed by Amazon EMR, only Apache Hive uses Apache Log4j with context lookups, and it does not use non-default pattern layout in a manner that allows inappropriate input data to be processed.

Is Amazon EMR impacted by any of the following CVE disclosures?

The following table contains a list of CVEs that are related to Log4j and notes whether each CVE impacts Amazon EMR. The information in this table only applies when applications are installed by Amazon EMR using the default configurations.

CVE	Impacts EMR	Notes
CVE-2022-23302	No	Amazon EMR does not set up Log4j JMSSink
CVE-2022-23305	No	Amazon EMR does not set up Log4j JDBCAppender
CVE-2022-23307	No	Amazon EMR does not set up Log4j Chainsaw
CVE-2020-9493	No	Amazon EMR does not set up Log4j Chainsaw
CVE-2021-44832	No	Amazon EMR does not set up Log4j JDBCAppender with a JNDI connection string
CVE-2021-4104	No	Amazon EMR does not use Log4j JMSAppender
CVE-2020-9488	No	The applications that are installed by Amazon EMR do not use Log4j SMTPAppender
CVE-2019-17571	No	Amazon EMR blocks public access to clusters and does not launch SocketServer
CVE-2019-17531	No	We recommend that you upgrade to the latest Amazon EMR release version. Amazon EMR 5.33.0 and later use jackson-databind 2.6.7.4 or later, and EMR 6.1.0 and later use jackson-databind 2.10.0 or later. These versions of jackson-databind are not impacted by the CVE.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

What's new?