Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade log4j-core version bump to fix CVE-2021-44228 #603

Merged
merged 1 commit into from
Dec 10, 2021

Conversation

ryan-lane
Copy link
Contributor

Overview

log4j-core version bump to fix CVE-2021-44228

@CLAassistant
Copy link

CLAassistant commented Dec 10, 2021

CLA assistant check
All committers have signed the CLA.

Stephan202 pushed a commit to PicnicSupermarket/newrelic-java-agent that referenced this pull request Dec 10, 2021
@Stephan202
Copy link
Contributor

The latest Log4J2 tag right now is log4j-2.15.0-rc2, so it's not 100% clear what the contents of the 2.15.0 release on Maven Central are (somebody asked about it here: apache/logging-log4j2#608 (comment)), but given the severity of the issue it'd be good to see a release with this change.

(It's not clear that the New Relic Agent can serve as an attack vector, but upgrading the dependency is easier than proving that no action is necessary.)

I updated the Picnic fork of New Relic Agent 7.4.0 to include this change (JAR, diff).

@tbradellis
Copy link
Contributor

Thanks for the PR @ryan-lane !

(It's not clear that the New Relic Agent can serve as an attack vector, but upgrading the dependency is easier than proving that no action is necessary.)

@Stephan202 We ended up in a code freeze that will push our mid December release into Jan. I'll get this in front of the team to see what we need to do to break the freeze and about getting a point release out.

@Stephan202
Copy link
Contributor

@tbradellis tnx!

As for my earlier remark: apache/logging-log4j2#608 (comment) confirms that log4j-2.15.0-rc2 indeed matches the code published to Maven Central as 2.15.0.

(All of apache/logging-log4j2#608 is worth a read, I think.)

@tbradellis
Copy link
Contributor

quick update. We will be doing a point release, along with some other effort (the exact of which is undetermined at the moment) to help customers address older NR java agent builds.

@tbradellis tbradellis self-assigned this Dec 10, 2021
Copy link
Contributor

@tbradellis tbradellis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@tbradellis tbradellis merged commit c19781e into newrelic:main Dec 10, 2021
@meiao meiao linked an issue Dec 10, 2021 that may be closed by this pull request
6 tasks
@aSapien
Copy link

aSapien commented Dec 12, 2021

Is it being backported to java agent 5.x?

Ref: #605 (comment)

@kford-newrelic
Copy link
Contributor

@aSapien no, we will not be backporting to either the 4.x or 5.x code base. Per our security bulletin, if you cannot upgrade your agent to either 6.5.2 or 7.4.3, we recommend that you turn agent logging OFF until you can upgrade.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

Update Java agent to use new version of log4j 2
7 participants