Versions Affected: 3.0.59 and earlier
Fixed In: 3.0.60
Vulnerability Identifier: NR22-01
Priority: High
Summary
New Relic released Containerized Private Minion (CPM) version 3.0.60 to specifically remove subdependencies on log4j version 1.2.17.
New Relic has determined that log4j version 1.2.17 was included in subdependencies of our build package for Containerized Private Minions prior to version 3.0.60. Log4j version 1.x has outstanding high and critical CVEs of CVE-2021-4104 and CVE-2019-17571 and no longer receives support from Apache Foundation to address these issues.
Action Items
We strongly recommend customers upgrade all their Containerized Private Minions to version 3.0.60 or later as soon as possible. This version has fully excluded all use of log4j version 1.x from dependencies. You may update your CPM through Helm Charts version 1.0.48.
This step will help remediate the log4j vulnerability in your New Relic Containerized Private Minion (CPM) only. For additional security guidance regarding log4j in other New Relic products, please review New Relic's Security Bulletins on our documentation page.
Customers using log4j directly in their applications should carefully review the Apache Log4j Security Vulnerabilities page for remediation details that should be considered.
Technical Links
Frequently Asked Questions
I've updated to Containerized Private Minion (CPM) version 3.0.58 already, do I need to update to version 3.0.60?
Yes, New Relic strongly recommends updating at this time to address critical vulnerabilities in log4j subdependencies identified in the Containerized Private Minion build package. Apache Foundation has issued a recommendation to deprecate all use of log4j version 1.x due to the project being out of support and having outstanding vulnerabilities. CPM 3.0.60 and later versions are the only CPM versions available without any use of log4j version 1.x.
Publication History
January 13, 2022 - NR22-01 Published