How do I remediate RCE 0-day exploit found in Apache Log4j2

[dfw100]

Remediation as per Apache here, see sections "Fixed in Log4j 2.15.0" and "Fixed in Log4j 2.17.0"

Please follow the steps in README.md to make a new build and deploy with the latest versions of amazon-kinesis-video-streams-parser-library (which has been patched with log4j v2.17.0), org.slf4j:slf4j-api, and org.slf4j:slf4j-log4j12.

Please note that, at the time of writing this comment, v1.1.0 of amazon-kinesis-video-streams-parser-library was still not available on Maven, hence you would need to clone https://github.com/aws/amazon-kinesis-video-streams-parser-library first, and run mvn clean install to build amazon-kinesis-video-streams-parser-library. Once completed, run build in ai-powered-speech-analytics-for-amazon-connect.

For customers who originally deployed via AWS Solution Guide https://docs.aws.amazon.com/solutions/latest/ai-powered-speech-analytics-for-amazon-connect/template.html, we are currently working on AWS Solution patching, and will post an update as soon as possible.

[DMishra-22]

Hi @dfw100,

While trying to deploy the solution via AWS Solution Guide https://docs.aws.amazon.com/solutions/latest/ai-powered-speech-analytics-for-amazon-connect/deployment.html#step1 now, the stack description shows 'AI Powered Speach Analytics for Amazon Connect Version v1.1.2'. I see the latest release on github repo is also 1.1.2, after the above remediation for Log4j2 exploit.

So is the AWS Solution patched already and is it safe to deploy it now from the solution guide?

[dfw100]

AWS solution is patched to to mitigate Log4j Vulnerability.