Apache Log4j Critical Vulnerability CVE-2021-44228 - Java

Versions affected: All agent versions between (a) 4.12.0 and 6.5.1; and (b) 7.0.0 and 7.4.1

Fix versions: 6.5.2, 6.5.3, 6.5.4, 7.4.2, 7.4.3 and 7.5.0

Vulnerability identifier: NR21-03

We have determined that the new vulnerability identified (CVE-2021-44832) does NOT affect New Relic's Java agent, unless an additional attack vector would allow write permissions to the host system. Nonetheless, newer versions of the New Relic Java agent will use the latest Apache versions of log4j (currently versions 2.17.1 (Java 8) and 2.12.4 (Java 7), which patches CVE-2021-44832).

We have also determined that New Relic's Java agent is NOT vulnerable to either CVE-2021-45046 or CVE-2021-45105. This is because the agent's use of log4j sits behind a wrapper interface that does not use or support Thread Context Map input data, a required aspect of the vulnerability. However, we recommend updating to at least the 6.5.2 or 7.4.2 release to ensure comprehensive protection against CVE-2021-44228.

As new versions of log4j become available, we will continue to release new versions of the agent.

Summary

New Relic has released new versions of the Java agent to address critical vulnerabilities in the open source log4j framework that could allow a malicious actor to exfiltrate data or execute arbitrary code using log messages or log message parameters.

New Relic will update this Security Bulletin and our customer guidance as new information becomes available.

Action items

To remediate CVE 2021-44228 in the New Relic Java agent, we recommend customers upgrade to agent release 6.5.2 or higher (requires Java 7 or higher) or 7.4.2 or higher (requires Java 8 or higher) as soon as possible.

If you have already upgraded to agent versions 6.5.2 or 7.4.2, you are protected against CVE 2021-44228 and do not have to upgrade again at this time. We have determined that New Relic's Java agent is NOT susceptible to either CVE-2021-45046 or CVE-2021-45105, as the agents use of log4j sits behind a wrapper interface that does not use or support Thread Context Map input data, a required aspect of the vulnerability. We recommend updating to at least the 6.5.2 or 7.4.2 release to ensure comprehensive protection against CVE-2021-44228.

How to disable the Java agent logging

You can set your Java agent logging level to OFF to remediate CVE-2021-44228. To do this, use any of the following options:

• Modify your local agent configuration file (search for the log_level parameter) (no restart is required)
• Define the newrelic.config.log_level=OFF system property (restart required)
• Set the NEW_RELIC_LOG_LEVEL=OFF environment variable (restart required)

You can verify that agent logging has been disabled by checking the agent log file. You should not see any new messages being written.

Disabling the Java agent logging does not affect the functionality of the agent, and there will be no degradation in observability.

Note: This workaround is recommended only as a temporary solution until you can update your agent version.

We will share more information, and additional steps for remediation, if the situation changes.

If you use log4j directly in your applications, be sure to carefully review the Apache Log4j Security Vulnerabilities. This page provides remediation details for you to consider.

Containerized private minions

The above step will remediate your New Relic Java agent only. You may also need to update your New Relic Containerized Private Minion. Please refer to NR21-04 for more information.

Technical vulnerability information

• CVE-2021-44228 CVSS 10.0
• CVE-2021-45046 CVSS 9.0
• CVE-2021-45105 CVSS 7.5
• CVE-2021-44832 CVSS 6.6
• Security guidance for New Relic customers related to Apache Log4j vulnerabilities
• How to help identify systems with vulnerable log4j versions using New Relic
• Apache log4j Security Vulnerabilities
• New Relic Support Forum

Frequently asked questions

Publication history

• March 3, 2022: NR21-03 Revision:

  • Updated references to Java agent versions 6.5.4 & 7.5.0

• December 29, 2021: NR21-03 Revision:

  • Updated to reflect agent findings on CVE-2021-44832

• December 22, 2021: NR21-03 Major Revision:

  • New fix versions 6.5.3 and 7.4.3 available to address CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105.
  • Addition of exploitability risk assessments for each vulnerability, to aid customers in making remediation decisions.
  • Addition of content regarding lack of functionality impact for customers that disable agent logging.

• December 17, 2021: NR21-03 Revision:

  • Change in severity and technical description of CVE-2021-45046

• December 16, 2021: NR21-03 Major Revision:

  • New fix version 6.5.2 available to address both CVE-2021-44228 and CVE-2021-45046.
  • Change in guidance regarding sufficiency of log4j version 2.15.0 to protect against exploitation of CVE-2021-44228.
  • Change in recommended workaround.
  • Update of NIST technical description of CVE-2021-44228.

• December 14, 2021: NR21-03 Major Revision:

  • New fix version 7.4.2 available to address both CVE-2021-44228 and CVE-2021-45046.
  • Updated to include an additional workaround option.
  • Updated to provide clarity between New Relic Java agent updates and the best practices customers should take to secure their applications.
  • Added technical vulnerability descriptions and CVSS scores from the National Institute of Standards and Technology (NIST).

• December 13, 2021: NR21-03 updated to include more explicit workaround guidance and FAQs

• December 10, 2021: NR21-03 published

Report security vulnerabilities to New Relic

New Relic is committed to the security of our customers and your data. If you believe you have found a security vulnerability in one of our products or websites, we welcome and greatly appreciate you reporting it to New Relic's coordinated disclosure program. For more information, see our documentation about reporting security vulnerabilities.