Versions affected: All agent versions between (a) 4.12.0 and 6.5.1; and (b) 7.0.0 and 7.4.1
Fix versions: 6.5.2, 6.5.3, 6.5.4, 7.4.2, 7.4.3 and 7.5.0
Vulnerability identifier: NR21-03
We have determined that the new vulnerability identified (CVE-2021-44832) does NOT affect New Relic's Java agent, unless an additional attack vector would allow write permissions to the host system. Nonetheless, newer versions of the New Relic Java agent will use the latest Apache versions of log4j (currently versions 2.17.1 (Java 8) and 2.12.4 (Java 7), which patches CVE-2021-44832).
We have also determined that New Relic's Java agent is NOT vulnerable to either CVE-2021-45046 or CVE-2021-45105. This is because the agent's use of log4j sits behind a wrapper interface that does not use or support Thread Context Map input data, a required aspect of the vulnerability. However, we recommend updating to at least the 6.5.2 or 7.4.2 release to ensure comprehensive protection against CVE-2021-44228.
As new versions of log4j become available, we will continue to release new versions of the agent.
New Relic Java agent version | Apache log4j version |
---|---|
6.5.1 | 2.15.0 |
6.5.2 | 2.12.2 |
6.5.3 | 2.12.3 |
6.5.4 | 2.12.4 |
7.4.1 | 2.15.0 |
7.4.2 | 2.16.0 |
7.4.3 | 2.17.0 |
7.5.0+ | 2.17.1 |
Summary
New Relic has released new versions of the Java agent to address critical vulnerabilities in the open source log4j framework that could allow a malicious actor to exfiltrate data or execute arbitrary code using log messages or log message parameters.
New Relic will update this Security Bulletin and our customer guidance as new information becomes available.
Action items
To remediate CVE 2021-44228 in the New Relic Java agent, we recommend customers upgrade to agent release 6.5.2 or higher (requires Java 7 or higher) or 7.4.2 or higher (requires Java 8 or higher) as soon as possible.
If you have already upgraded to agent versions 6.5.2 or 7.4.2, you are protected against CVE 2021-44228 and do not have to upgrade again at this time. We have determined that New Relic's Java agent is NOT susceptible to either CVE-2021-45046 or CVE-2021-45105, as the agents use of log4j sits behind a wrapper interface that does not use or support Thread Context Map input data, a required aspect of the vulnerability. We recommend updating to at least the 6.5.2 or 7.4.2 release to ensure comprehensive protection against CVE-2021-44228.
重要
If you are on a version of the agent earlier than 6.5.2 or 7.4.2, or cannot upgrade your agent version, we strongly recommend you disable agent logging.
How to disable the Java agent logging
You can set your Java agent logging level to OFF
to remediate CVE-2021-44228. To do this, use any of the following options:
- Modify your local agent configuration file (search for the
log_level
parameter) (no restart is required) - Define the
newrelic.config.log_level=OFF
system property (restart required) - Set the
NEW_RELIC_LOG_LEVEL=OFF
environment variable (restart required)
You can verify that agent logging has been disabled by checking the agent log file. You should not see any new messages being written.
Disabling the Java agent logging does not affect the functionality of the agent, and there will be no degradation in observability.
Note: This workaround is recommended only as a temporary solution until you can update your agent version.
We will share more information, and additional steps for remediation, if the situation changes.
If you use log4j directly in your applications, be sure to carefully review the Apache Log4j Security Vulnerabilities. This page provides remediation details for you to consider.
Containerized private minions
The above step will remediate your New Relic Java agent only. You may also need to update your New Relic Containerized Private Minion. Please refer to NR21-04 for more information.
Technical vulnerability information
- CVE-2021-44228 CVSS 10.0
- CVE-2021-45046 CVSS 9.0
- CVE-2021-45105 CVSS 7.5
- CVE-2021-44832 CVSS 6.6
- Security guidance for New Relic customers related to Apache Log4j vulnerabilities
- How to help identify systems with vulnerable log4j versions using New Relic
- Apache log4j Security Vulnerabilities
- New Relic Support Forum
Frequently asked questions
Publication history
March 3, 2022: NR21-03 Revision:
- Updated references to Java agent versions 6.5.4 & 7.5.0
December 29, 2021: NR21-03 Revision:
- Updated to reflect agent findings on CVE-2021-44832
December 22, 2021: NR21-03 Major Revision:
- New fix versions 6.5.3 and 7.4.3 available to address CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105.
- Addition of exploitability risk assessments for each vulnerability, to aid customers in making remediation decisions.
- Addition of content regarding lack of functionality impact for customers that disable agent logging.
December 17, 2021: NR21-03 Revision:
- Change in severity and technical description of CVE-2021-45046
December 16, 2021: NR21-03 Major Revision:
- New fix version 6.5.2 available to address both CVE-2021-44228 and CVE-2021-45046.
- Change in guidance regarding sufficiency of log4j version 2.15.0 to protect against exploitation of CVE-2021-44228.
- Change in recommended workaround.
- Update of NIST technical description of CVE-2021-44228.
December 14, 2021: NR21-03 Major Revision:
- New fix version 7.4.2 available to address both CVE-2021-44228 and CVE-2021-45046.
- Updated to include an additional workaround option.
- Updated to provide clarity between New Relic Java agent updates and the best practices customers should take to secure their applications.
- Added technical vulnerability descriptions and CVSS scores from the National Institute of Standards and Technology (NIST).
December 13, 2021: NR21-03 updated to include more explicit workaround guidance and FAQs
December 10, 2021: NR21-03 published
Report security vulnerabilities to New Relic
New Relic is committed to the security of our customers and your data. If you believe you have found a security vulnerability in one of our products or websites, we welcome and greatly appreciate you reporting it to New Relic's coordinated disclosure program. For more information, see our documentation about reporting security vulnerabilities.