Removal of log4j hotpatch (log4j-cve-2021-44228-hotpatch) - Amazon Linux 2023
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Removal of log4j hotpatch (log4j-cve-2021-44228-hotpatch)

Note

AL2023 doesn't ship with the log4j-cve-2021-44228-hotpatch package.

In response to CVE-2021-44228, Amazon Linux released an RPM packaged version of the Hotpatch for Apache Log4j for AL1 and AL2. In the announcement of the addition of the hotpatch to Amazon Linux we noted that "Installing the hotpatch is not a replacement for updating to a log4j version that mitigates CVE-2021-44228 or CVE-2021-45046.".

The hotpatch was a mitigation to allow time to patch log4j. The first General Availability (GA) release of AL2023 was 15 months after CVE-2021-44228, thus AL2023 doesn't ship with the hotpatch (enabled or not).

Users running their own log4j versions on Amazon Linux should ensure that they have updated to versions not affected by CVE-2021-44228 or CVE-2021-45046.

AL2023 provides guidance on Updating AL2023 so that you can keep up to date with security patches. Security advisories are published on the Amazon Linux Security Center.