Update Java agent to use new version of log4j 2 #605
Comments
kford-newrelic
added
the
GTSE
|
By turning the logging level to 'off' will it temporarily remediate the vulnerability? |
|
Java Agent 5.x should also still be supported and receive security patches. Is this fix being backported to older agents? |
|
The updated Java Agent 6.5.1 breaks JDK7 compatibility. |
6.5.0 states it's the last version to support JDK7 but presumably the implication was from 7.x onwards. We unfortunately do need JDK7 support. |
https://discuss.newrelic.com/t/log4j-zero-day-vulnerability-and-the-new-relic-java-agent/170322 says use 6.5.1 for JDK7 compatibility, but it appear v6.5.1 is NOT compatible with JDK7 because log4j 2.15.0 is not compatible with JDK7. |
We are looking at how to best address this in the agent. For immediate remediation the thing to do will be to use the workaround recommendations indicated by log4j in conjunction with Agent 6.5.0 or other appropriate agent version that will run on Java 7: https://logging.apache.org/log4j/2.x/security.html
|
|
@tbradellis I suppose the New Relic Agent build could be updated to exclude In any case, New Relic isn't the only one with this issue: apache/logging-log4j2#608 (comment). Let's see what the response will be 👀. |
|
Looks like we have a good path for the Java 7 supported releases. We'll do a 6.5.x point release with the backported patch 2.12.2. |
|
Updating agent release to Will update agent release |
|
Any ETA for |
|
A second CVE was found in log4j 2.15.0. I see that it is already fixed for |
|
@jinzishuai @yunusevren We plan to do another 6.x point release but we're waiting for the Log4j folks to release the back-ported fix to a version of Log4j that supports Java 7, as the 6.x range of agents should remain Java 7 compatible. Unfortunately we broke that backwards compatibility with the 6.5.1 patch but we'd like to remedy that now that we know that a back-port should happen. As summarized in this comment from @benders we don't believe the agent to be vulnerable to CVE-2021-45046:
|
|
All, Java agent 6.5.2 has been released. This provides a Log4j security patch that is back-ported for compatibility with Java 7.
You can find it on maven central: |
|
Can something be done to remove JNDI as a threat vector entirely? |
|
Another CVE has been published: https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105 |
|
The described alternative, to set the |
|
@skjelmo we've updated our mitigation actions, but had forgotten to update this ticket. This has been fixed. |
|
@hpoettker agent 7.4.3 was released this morning with log4j 2.17.0. |
|
@skjelmo from the information we have on CVE-2021-45105 and our analysis of the code, NR agents are NOT affected by this vulnerability. |
|
Waiting to see if the Apache project releases a log4j |
Is your feature request related to a problem? Please describe.
A well-publicized vulnerability has been discovered with certain versions of the
log4j 2framework. Some references:Feature Description
Need to publish updated maint releases for the following major agent versions (these are still under support):
Describe Alternatives
A workaround to the issue has been described, to disable logging by setting the log level to off.
See security bulletin NR21-03 for the latest mitigation actions.
Additional context
Older versions of the Java Agent that are not currently supported will not be updated, in alignment with our published EOL policy.
Priority
Critical
The text was updated successfully, but these errors were encountered: