Amazon Web Services

Amazon Web Services said it is addressing the Log4j vulnerability for any services that either use the open-source code or provide it to customers as part of their service. The Seattle, Wash.-based cloud computing giant said it encourages customers who manage environments containing Log4j to update to the latest version.

Updates for AWS Greengrass versions 1.10 and 1.11 are expected to be available Friday, and customers are directed in the meantime to verify that their custom lambda code does not use arbitrary stream names and file names outside the customer’s control. API Gateway is being updated to a version of Log4j that mitigates the issue, and customers may observe periodic latency during those updates.

AWS EMR clusters launched with EMR 5 and EMR 6 releases include open source frameworks such as Apache Hive, Flink, HUDI, Presto, and Trino which use vulnerable versions of Apache Log4j. The company said it is actively working on building an update that mitigates issues around when open source frameworks installed on a customer’s EMR cluster process information from untrusted sources.