CVE-2022-33915: 
NixOS vulnerability analysis and mitigation

Versions of the Amazon AWS Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.3.5 are affected by a race condition vulnerability (CVE-2022-33915) that could lead to local privilege escalation. This hotpatch package was designed as a temporary mitigation for CVE-2021-44228, not as a permanent replacement for updating Log4j (NVD, AWS Advisory).

The vulnerability exists in the hotpatch script's process of iterating through running Java processes. The script performs checks and executes the Java virtual machine with the same permissions and capabilities as the running process to load the hotpatch. The issue stems from a race condition between when the hotpatch observes the process path and when it observes the effective user ID. The vulnerability has been assigned a CVSS v3.1 base score of 7.0 (HIGH) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

A local user with permissions to run custom programs could exploit this vulnerability to execute a binary with elevated privileges. This is achieved by running a custom Java process that performs exec() of an SUID binary during the race condition window (AWS Advisory).

Users should update to log4j-cve-2021-44228-hotpatch version 1.3-5 or later to address this vulnerability. The fix is available through the package management system, and can be applied by running 'yum update log4j-cve-2021-44228-hotpatch' (AWS Advisory).