Fixes
- Changed log4j version to 2.12.3 to mitigate the security vulnerability CVE-2021-45105. 605
Mitigation for Java 7
- This release is compatible with Java 7.
Support statement:
- New Relic recommends that you upgrade the agent regularly to ensure that you're getting the latest features and performance benefits. Additionally, older releases will no longer be supported when they reach end-of-life.
Fixes
- Upgraded log4j to 2.17.0 to mitigate the security vulnerability CVE-2021-45105. 605
Recommended Java versions
- This fix is recommended if you are running on Java 8 - 17.
Support statement:
- New Relic recommends that you upgrade the agent regularly to ensure that you're getting the latest features and performance benefits. Additionally, older releases will no longer be supported when they reach end-of-life.
Fixes
- Changed log4j version to 2.12.2 to mitigate the security vulnerability CVE-2021-45046. 605
Mitigation for Java 7
- This release is compatible with Java 7.
Support statement:
- New Relic recommends that you upgrade the agent regularly to ensure that you're getting the latest features and performance benefits. Additionally, older releases will no longer be supported when they reach end-of-life.
Fixes
- Upgraded log4j to 2.16.0 to mitigate the security vulnerability CVE-2021-45046. 605
Recommended Java versions
- This fix is recommended if you are running on Java 8 - 17.
Support statement:
- New Relic recommends that you upgrade the agent regularly to ensure that you're getting the latest features and performance benefits. Additionally, older releases will no longer be supported when they reach end-of-life.
Fixes
- Upgraded log4j to 2.15.0 to mitigate the security vulnerability CVE-2021-44228. 605
Recommended Java versions
- This fix is recommended if you are running on Java 8 - 17.
Support statement:
- New Relic recommends that you upgrade the agent regularly to ensure that you're getting the latest features and performance benefits. Additionally, older releases will no longer be supported when they reach end-of-life.
Fixes
- Upgraded log4j to 2.15.0 to mitigate the security vulnerability CVE-2021-44228. 605
Recommended Java versions
- Log4j 2.15.0, which fixes the security vulnerability CVE-2021-44228, is only compatible with Java 8+. Therefore, this version of the agent is not compatible with Java 7 and is only recommended if you are using Java 8+ and are otherwise unable to upgrade to Java agent 7.4.1.
Mitigation for Java 7
Java agent versions 4.12.0 through 6.5.0 (which support Java 7) use Log4j 2.11.2 which falls into the affected range. For Java 7 users the recommended mitigation from Apache Log4j Security Vulnerabilities is to set the system property -Dlog4j2.formatMsgNoLookups=true.
Mitigation: In releases >=2.10, this behavior can be mitigated by setting the system property
log4j2.formatMsgNoLookups. For releases >=2.7 and <=2.14.1, allPatternLayoutpatterns can be modified to specify the message converter as%m{nolookups}instead of just%m. For releases >=2.0-beta9 and <=2.10.0, the mitigation is to remove theJndiLookupclass from the classpath:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Note: The alternate approach of defining the LOG4J_FORMAT_MSG_NO_LOOKUPS=true environment variable will not work with the NR Java Agent.
Support statement:
- New Relic recommends that you upgrade the agent regularly to ensure that you're getting the latest features and performance benefits. Additionally, older releases will no longer be supported when they reach end-of-life.
New features and improvements
Support for Java 17 #433
Distributed tracing is on by default and deprecates cross-application tracing #486
- Increases the default maximum number of samples stored for span events from 1000 to 2000.
- The maximum number of samples stored for span events can be configured via the max_samples_stored configuration in the newrelic.yml.
span_events:max_samples_stored: 2000Important
This feature causes an increase in the consumption of data. The amount of increase will depend on the application. This feature can be disabled by adding the following to the agent yaml config nested under the common section:
distributed_tracing:enabled: falseAuto-instrumentation support for GraphQL-Java 17.0+ #487
This version tested agent support for the ARM64/Graviton2 platform
Fixes
The existing MongoDB sync client instrumentation was incorrectly applying when MongoDB reactive or async client was being used, which could lead to segment timeouts and long transaction response times. #476
Deprecations and removed features
Cross application tracing is now deprecated, and disabled by default. To continue using it, enable it with cross_application_tracer.enabled = true and distributed_tracing.enabled = false.
Support statement:
- New Relic recommends that you upgrade the agent regularly to ensure that you're getting the latest features and performance benefits. Additionally, older releases will no longer be supported when they reach end-of-life.
New features and improvements
Support for Java 16
Auto-instrumentation support for java.net.http.HttpClient
Migrate the Agent’s caching library from Guava to Caffeine (Special thanks to community member Stephan Schroevers for this contribution)
- Caffeine provides an in-memory cache using a Google Guava inspired API. The improvements draw on the author’s experience designing Guava's cache and
ConcurrentLinkedHashMap. - We expect this change to provide improvement in cases where we saw thread contention and deadlocks attributable to the Guava library.
- Caffeine provides an in-memory cache using a Google Guava inspired API. The improvements draw on the author’s experience designing Guava's cache and
Fixes
- Removed support for the anorm-2.0 instrumentation module
- The artifacts that this module instrumented are no longer available.
Support statement
- New Relic recommends that you upgrade the agent regularly to ensure that you're getting the latest features and performance benefits. Additionally, older releases will no longer be supported when they reach end-of-life.
New features and improvements
Scala Library Instrumentation #362 and #363
- STTP versions 2 & 3 Akka-HTTP, HTTP4s and STTP core backends
- Cats-effect v2
- ZIO v1
- HTTP4s client & server v0.21
- Play 2.3-2.8
- Akka-HTTP v10.1 & v10.2
- For more information, see Scala instrumentation.
Scala API support (see PRs above)
- Scala APIs provided for explicit instrumentation of several of above libraries in case auto-instrumentation is not desired
- Cats-effect v2
- ZIO v1
AWS v2 DynamoDB Instrumentation #343
- Synchronous and asynchronous AWS v2 APIs are auto-instrumented similarly to v1 APIs
- For more information, see Add support for AWS SDK 2 DynamoDB sync/async clients
GraphQL 16 Instrumentation #396
- Create meaningful transaction names
- Create meaningful spans
- Reporting GraphQL errors
- For more information, see GraphQL for Java
JFR feature causing excessive overhead when enabled JFR #203
- Refactored code to use less memory.
Fixes
The existing MongoDB instrumentation was partially applying when MongoDB Reactive Streams is being used.
- Disable weaving package when MongoDB 4.x+ reactive driver detected #341
- For more information, see Spring Reactive DB Drivers - MongoDB Support
Support statement:
- New Relic recommends that you upgrade the agent regularly to ensure that you're getting the latest features and performance benefits. Additionally, older releases will no longer be supported when they reach end-of-life.
- Real-time profiling for Java using JFR metrics
Due to overhead caused in some applications Real-time profiling for Java using JFR metrics is now disabled by default.
It can be enabled using the agent settings (newrelic.yml).
Support statement:
- New Relic recommends that you upgrade the agent regularly to ensure that you're getting the latest features and performance benefits. Additionally, older releases will no longer be supported when they reach end-of-life.