Fixes
- Upgraded log4j to 2.15.0 to mitigate the security vulnerability CVE-2021-44228. 605
Recommended Java versions
- Log4j 2.15.0, which fixes the security vulnerability CVE-2021-44228, is only compatible with Java 8+. Therefore, this version of the agent is not compatible with Java 7 and is only recommended if you are using Java 8+ and are otherwise unable to upgrade to Java agent 7.4.1.
Mitigation for Java 7
Java agent versions 4.12.0 through 6.5.0 (which support Java 7) use Log4j 2.11.2 which falls into the affected range. For Java 7 users the recommended mitigation from Apache Log4j Security Vulnerabilities is to set the system property -Dlog4j2.formatMsgNoLookups=true
.
Mitigation: In releases >=2.10, this behavior can be mitigated by setting the system property
log4j2.formatMsgNoLookups
. For releases >=2.7 and <=2.14.1, allPatternLayout
patterns can be modified to specify the message converter as%m{nolookups}
instead of just%m
. For releases >=2.0-beta9 and <=2.10.0, the mitigation is to remove theJndiLookup
class from the classpath:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Note: The alternate approach of defining the LOG4J_FORMAT_MSG_NO_LOOKUPS=true
environment variable will not work with the NR Java Agent.
Support statement:
- New Relic recommends that you upgrade the agent regularly to ensure that you're getting the latest features and performance benefits. Additionally, older releases will no longer be supported when they reach end-of-life.