Apache Log4j2 Issue (CVE-2021-44228)?

Could you please confirm that your platform are not affected by Apache Log4j2 Issue (CVE-2021-44228)?

Hi, @ivan.voronchikhin: Please see this topic:

1 Like

thanks @philweber

It seems that the OP was asking specifically about the Cloud Platform where New Relic is hosted. We currently have a set of NR Synthetics tests (running from the cloud platform - i.e. agent-less) that we would like to know if they are subject to this vulnerability.

Thanks!

Richard

Hi Richard -

The New Relic Vulnerability Management program has taken appropriate steps to evaluate and, if applicable, mitigate this particular threat. Unfortunately, due to the sensitive nature and complexity of how potential vulnerabilities are addressed, we do not disclose specific actions or details regarding our controls or procedures.

Keeping customers secure is always our top priority, and we have a well-established vulnerability management program that monitors multiple sources of threat intelligence for all relevant threats and vulnerabilities based on our technology stacks. All applicable, potential vulnerabilities are reviewed, rated, assigned SLAs, and remediated as appropriate. In addition, we continuously scan and monitor our applications and systems for new, potential vulnerabilities. This vulnerability management program is reviewed annually as part of our SOC2 certification, and we are happy to share our latest SOC2 report as well as further details of our program under NDA.

1 Like

Hi hross - thanks for your response; I will take this as that the log4j vulnerability was (or is no longer) applicable to the New Relic Cloud environment.

Thanks!

Richard

Hi there @rchua - We do have some more details to share this morning:

New Relic has released Java Agent and Containerized Private Minion updates to address a critical vulnerability in the open source Apache Log4j framework that was publicly disclosed on 2021-12-09 (CVE 2021-44228). Please reviewNew Relic’s Security Bulletins NR21-03 And NR21-04 for more detailed technical information about the vulnerability and necessary remediation steps.

To get Security notifications from New Relic in the future, please subscribe to New Relic’s Security notifications community channel or RSS feed.

The New Relic Vulnerability Management program has taken appropriate steps to evaluate and, if applicable, mitigate this particular threat. Due to the sensitive nature and complexity of how potential vulnerabilities are addressed, we do not disclose specific actions or details regarding our controls or procedures.

Keeping customers secure is always our top priority, and we have a well-established vulnerability management program that monitors multiple sources of threat intelligence for all relevant threats and vulnerabilities based on our technology stacks. All applicable, potential vulnerabilities are reviewed, rated, assigned SLAs, and remediated as appropriate. In addition, we continuously scan and monitor our applications and systems for new, potential vulnerabilities. This vulnerability management program is reviewed annually as part of our SOC2 certification, and we are happy to share our latest SOC2 report as well as further details of our program under NDA.

As a New Relic customer, You have access to Environment Snapshots which shows libraries, JVM flags and runtime versions. With Environment snapshots, you can look for “log4j-core” in the list and if it’s a 2.x version, then it’s potentially impacted. Please work with your Security Department for next steps.

Can we expect another version of New Relic agent to address the CVE - CVE-2021-45046 ?

Thanks
Moorthi

@moorthi.subramaniyan: Please see the link I posted earlier in this topic: