CVE-2021-3101: 
Bottlerocket vulnerability analysis and mitigation

Hotdog, prior to v1.0.1, contained a critical security vulnerability identified as CVE-2021-3101. The vulnerability was discovered in the software's handling of Java Virtual Machine (JVM) processes, where it failed to properly mimic the capabilities and SELinux label of the target JVM process. This vulnerability affected Hotdog installations before version 1.0.1, which was part of AWS's Log4Shell hot patch solutions (AWS Security Bulletin, GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The core issue stemmed from the hot patch solutions continuously searching for Java processes and attempting to patch them against Log4Shell on the fly. The vulnerability occurred because the solution invoked container binaries without properly containerizing them, meaning new processes would run without the limitations normally applied to container processes (Hacker News, Unit42 Research).

The vulnerability could allow a container to gain full privileges on the host, effectively bypassing restrictions set on the container. This could lead to container escape and privilege escalation, allowing attackers to seize control of the underlying host. The impact was particularly severe in multi-tenant environments and clusters running untrusted images (Unit42 Research).

AWS released version 1.0.1 of Hotdog to address this vulnerability. Users were advised to upgrade to the fixed version as soon as possible. For those confident their applications were patched against Log4Shell, an alternative mitigation was to disable the hot patch service by running specific commands. The fixed version properly containerizes container binaries before running them (Unit42 Research, AWS Security Bulletin).