Since had notified information for log4j security vulnerabilities, I researched if my applications were influenced. I discovered AWSGlueETL which is introduced by here is dependent log4j security vulnerabilities. pom.xml include below definition.
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.4.1</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.4.1</version>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
Latest version 3.0.0 is also dependent same vulnerabilities. I would like to know if this problem will be fixed in the future.
AWS has provided an update on this, and looks like they are applying Amazon-developed Java hot patches to all affected services, please refer here for more info https://aws.amazon.com/security/security-bulletins/AWS-2021-006/
From the document:
Responding to security issues such as this one shows the value of having multiple layers of defensive technologies, which is so important to maintaining the security of our customers’ data and workloads. We've taken this issue very seriously, and our world-class team of engineers has fully deployed the Amazon-developed Java hot patch available here to all AWS services. The hot patch updates the Java VM to disable the loading of the Java Naming and Directory Interface (JNDI) class, replacing it with a harmless notification message, which mitigates CVE-2021-44228 and CVE-2021-45046. We will shortly complete our deployment of the updated Log4j library to all of our services. More information about the Java hotpatch is available at https://aws.amazon.com/blogs/security/open-source-hotpatch-for-apache-log4j-vulnerability/
Thanks