Log4j Zero Day Vulnerability and the New Relic Java Agent

[Updating this post to remove stale information]

Please see our blog post for more information on our response to CVE-2021-44228 and NVD - CVE-2021-45046.

Our security bulletin provides details on actions that can be taken to remediate any vulnerability with our Java Agent.

We’ll be keeping the above articles updated with information on an ongoing basis.

6 Likes

Cursory analysis of the code used doesn’t show any sign of a way to trigger the vulnerability. Not to say that it’s impossible, but I don’t see an IMMEDIATE way to trigger a log4shell attack. Is there any information or additional details that can be provided?

1 Like

We are using java New Relic Agent v5.7.0.

Is this version free for log4shell vulnerability?

As per Log4j – Apache Log4j 2 the system property fix will work only for version>=2.10 .
Can we know if any version of new-relic agent is using log4j version<2.10 ?

We are using the following versions of new-relic agent 4.12.0 6.5.0 4.3.0 6.4.2 4.3.0 and we want to confirm whether system property fix will work for these.

8 Likes

What about browser applications? Are they updated automatically?

@achi: Browser applications do not use Log4j, so they are not affected by this vulnerability.

1 Like

Do we need to make any changes to where New Relic Go agent?

Hello kevynford, can you please let us know how to set the system property for log4j2.formatMsgNoLookups=true value

hello, is it possible to know which agent versions are impacted?

1 Like

@yash.jain2: No, Log4j is only for Java.

Version 6.5.1 appears NOT to be compatible with Java 7. I get a Unsupported major.minor version 52.0 error.

Error bootstrapping New Relic agent: java.lang.UnsupportedClassVersionError: com/newrelic/agent/deps/org/apache/logging/log4j/message/Message : Unsupported major.minor version 52.0
java.lang.UnsupportedClassVersionError: com/newrelic/agent/deps/org/apache/logging/log4j/message/Message : Unsupported major.minor version 52.0
2 Likes

Hi,

Can we use the workaround of setting the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true ?

The Java Agent’s earliest log4j version usage was: 2.11.2

Note: The alternate approach of defining the LOG4J_FORMAT_MSG_NO_LOOKUPS=true environment variable will not work with the NR Java Agent.

This comment has been edited from it’s original.
I previously indicated the answer was yes. Further testing has shown that not to be correct. The original post has also been updated to reflect this new information.

1 Like

Hi, @George.James1: Yes, only the Java agent uses Log4j (the J in “Log4j” stands for “Java” :slight_smile:).

Is this vulnerability also affected on the Android Agent?

4 Likes

@bellis Brad, can you please also clarify whether newrelic agent versions 2.x, 3.x and 4.x from
Index of /newrelic/java-agent/newrelic-agent are also impacted?

Based on my own analysis it seems that newrelic agent started using log4j2 in version 5.x,

for example 3.x doesn’t render anything related to log4j2

wget https://download.newrelic.com/newrelic/java-agent/newrelic-agent/3.46.0/newrelic-agent-3.46.0.jar -O - -o /dev/null | jar tv | grep log4j

Similar for 4.x

wget https://download.newrelic.com/newrelic/java-agent/newrelic-agent/4.9.0/newrelic-agent-4.9.0.jar -O - -o /dev/null | jar tv | grep log4j

But from 5.0.0 onward I see log4j-core being shaded in the nr jar:

wget https://download.newrelic.com/newrelic/java-agent/newrelic-agent/5.0.0/newrelic-agent-5.0.0.jar -O - -o /dev/null | jar tv | grep log4j | grep JndiLo

3354 Sun Apr 21 16:38:24 EEST 2019 
com/newrelic/agent/deps/org/apache/logging/log4j/core/lookup/JndiLookup.class```
4 Likes

Can you please advise about the Infrastructure Agent?

4 Likes

Link that helps with checking the version, backup and update of java agent.
https://docs.newrelic.com/docs/apm/agents/java-agent/installation/update-java-agent/

It’s a Go application, thus not affected.