Log4j Zero Day Vulnerability and the New Relic Java Agent

hello, is it possible to know which agent versions are impacted? can we get the NRQL query to get the impacted version?

@philweber - Just curious about the new issue reported by Apache on 2.15.0 and the recommendation is to move to 2.16.0 - (CVE-2021-45046) . Do you have any suggestions or is there going to be a another new-relic version release.

6 Likes

New Relic has released Java Agent and Containerized Private Minion updates to address a critical vulnerability in the open source Apache Log4j framework that was publicly disclosed on 2021-12-09 (CVE 2021-44228). Please reviewNew Relic’s Security Bulletins NR21-03 And NR21-04 for more detailed technical information about the vulnerability and necessary remediation steps.

To get Security notifications from New Relic in the future, please subscribe to New Relic’s Security notifications community channel or RSS feed.

The New Relic Vulnerability Management program has taken appropriate steps to evaluate and, if applicable, mitigate this particular threat. Due to the sensitive nature and complexity of how potential vulnerabilities are addressed, we do not disclose specific actions or details regarding our controls or procedures.

Keeping customers secure is always our top priority, and we have a well-established vulnerability management program that monitors multiple sources of threat intelligence for all relevant threats and vulnerabilities based on our technology stacks. All applicable, potential vulnerabilities are reviewed, rated, assigned SLAs, and remediated as appropriate. In addition, we continuously scan and monitor our applications and systems for new, potential vulnerabilities. This vulnerability management program is reviewed annually as part of our SOC2 certification, and we are happy to share our latest SOC2 report as well as further details of our program under NDA.

As a New Relic customer, You have access to Environment Snapshots which shows libraries, JVM flags and runtime versions. With Environment snapshots, you can look for “log4j-core” in the list and if it’s a 2.x version, then it’s potentially impacted. Please work with your Security Department for next steps.

2 Likes

FWIW, I have been using something like this to assess things based on what are not at the known fix versions of the New Relic Java agent:

SELECT uniqueCount(apmAgentVersion)
FROM NrDailyUsage 
WHERE apmLanguage = 'java' AND apmAgentVersion NOT IN ('6.5.1', '7.4.1')
FACET consumingAccountName, apmAppName, agentHostname
SINCE 3 day ago limit max

Open to feedback on how to improve this.

2 Likes

There is a second vulnerability that was fixed in log4j 2.16.0. Is there a new release for New Relic Java agents to use this?

9 Likes

Do you mean
https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f ?

3 Likes

If we are running java agent version 3.34.0, is it affected? Our product is EOL, what is temporary fix we can implement?
As per URL Apache Log4j Critical Vulnerability CVE-2021-44228 - Java | New Relic Documentation it says that all affected versions are between 4.12.0 to 6.5.0 or 7.4.0

There is no post update/new thread yet, but the release 7.4.2 with this new fix already seems to be available: Java agent v7.4.2 | New Relic Documentation

1 Like

Do we also need to upgrade Infrastructure agents and Synthetic Monitor Minions?

@sdewarde versions of our agent prior to 4.12.0 use logback, not log4j, so they are not affected by the vulnerability.

1 Like

@luyjmt the second vulnerability that you mention is CVE-2021-45046. Based on current information, none of our Java Agent versions are affected by this vulnerability.

You are correct that our 7.4.2 release is using log4j 2.16.0, which permanently remediates CVE-2021-45046.

Our guidance to customers is that if you’ve already upgraded to either 6.5.1 or 7.4.1, you do not need to immediately rush to upgrade to 7.4.2 because of log4j vulnerabilities.

@sandesh.sharma1 The Java agent does not use the host application’s logging library, it shadows its own log4j dependency into the agent jar. This allows the agent to have control over agent logging without being dependent on the host application dependencies or forcing any logging requirements on the host application (e.g. your host can use any logging library it wants (logback, log4j, JUL) and the agent will always use its own log4j dependency).

This means that both your application and the Java agent need to be updated to use unaffected versions of log4j. Simply updating your application’s log library has no effect on agent logging.

Hello, Will there be version 6.5.2 with log4j upgraded to 2.16?

Our applications are using log4j version below 2. If we upgrade to newer agent version 7.4.2, will this have any conflict with our older log4j or any issues connecting to Newrelic collectors?

For those of you looking for ways to detect this vulnerability in your own applications (not just your New Relic Java Agent), see Jonathan’s new blog post - hopefully that will help!

@avooka We’re planning an updated 6.5.2 release but that will use the remediated log4j 2.12.2 release, which was specifically intended for Java 7 users.

At the moment though, Maven Central is a bit overloaded at the moment, so publishing new releases will be delayed.

This will allow an upgrade path for our Java 7 users.

1 Like

@veeresh.dandur1 No conflict - see the response on agent shadowing.

1 Like

Quick update : Version 6.5.2 of our Java Agent has been released. This uses the recently remediated log4j 2.12.2 - which now support Java 7 users.

1 Like

I am upgrading from 5.9.0 to 6.5.1 and I got the following errors:
2021-12-16T12:36:03,388+1100 [6249 34] com.newrelic INFO: Unable to connect to New Relic due to an SSL error. Consider enabling -Djavax.net.debug=all to debug your SSL configuration such as your trust store.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:1.8.0_291]

But how I understand this SSL issue from Important: Upcoming New Relic server certificate update will impact most users of Java agent version 6.1, and a few users of Java agent version 6.2.0 to 6.4.2 is that any version > 6.4.2 shall not be affected … I have removed the use_private_ssl: true in my yml file already …

Can you clarify your advice on the 6.5.1 agent site?
Java agent v6.5.1 | New Relic Documentation

It states that 6.5.1 fixes for CVE-2021-44228. Then in the Java versions it says the fix is not compatible with Java 7 and requires version 8.

Is this saying agent 6.5.1 will be susceptible to 44228 if the java version is less than 8?