Log4j Zero day vulnerability - Infrastructure Agent

Log4j Zero day vulnerability - Do we need to worry about Infrastructure Agent?

7 Likes

The Infrastructure Agent is not impacted but please review the following information.

On December 10th, 2021, New Relic released an updated Java agent that remediates CVE 2021-44228, a remote code execution vulnerability recently identified in the Log4j 2 logging framework. Please update your New Relic Java agents per the guidance in New Relic’s Security Bulletin NR21-03

To get Security notifications from New Relic in the future, please subscribe to New Relic’s Security notifications community channel or RSS feed.

4 Likes

Hey @jmore,

Is the Newrelic NRI-Kubernetes or any other monitoring container affected by this issue?
They have the OpenJDK installed on the infrastructure-bundle Dockerfile at https://github.com/newrelic/infrastructure-bundle/blob/master/Dockerfile and the resulting image is used by NRI-Kubernetes at
https://github.com/newrelic/nri-kubernetes/blob/main/Dockerfile#L2

Hi there @rraivil - We have a few more details to share today.

New Relic has released Java Agent and Containerized Private Minion updates to address a critical vulnerability in the open source Apache Log4j framework that was publicly disclosed on 2021-12-09 (CVE 2021-44228). Please reviewNew Relic’s Security Bulletins NR21-03 And NR21-04 for more detailed technical information about the vulnerability and necessary remediation steps.

To get Security notifications from New Relic in the future, please subscribe to New Relic’s Security notifications community channel or RSS feed.

The New Relic Vulnerability Management program has taken appropriate steps to evaluate and, if applicable, mitigate this particular threat. Due to the sensitive nature and complexity of how potential vulnerabilities are addressed, we do not disclose specific actions or details regarding our controls or procedures.

Keeping customers secure is always our top priority, and we have a well-established vulnerability management program that monitors multiple sources of threat intelligence for all relevant threats and vulnerabilities based on our technology stacks. All applicable, potential vulnerabilities are reviewed, rated, assigned SLAs, and remediated as appropriate. In addition, we continuously scan and monitor our applications and systems for new, potential vulnerabilities. This vulnerability management program is reviewed annually as part of our SOC2 certification, and we are happy to share our latest SOC2 report as well as further details of our program under NDA.

As a New Relic customer, You have access to Environment Snapshots which shows libraries, JVM flags and runtime versions. With Environment snapshots, you can look for “log4j-core” in the list and if it’s a 2.x version, then it’s potentially impacted. Please work with your Security Department for next steps.

Hi Team,

Are you planning to release new Java Agent for 2.16.x.

there is a new version already available as pre-release -https://github.com/newrelic/newrelic-java-agent/releases