-
Notifications
You must be signed in to change notification settings - Fork 143
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade log4j-core version bump to fix CVE-2021-44228 #603
Conversation
Overview log4j-core version bump to fix CVE-2021-44228
The latest Log4J2 tag right now is (It's not clear that the New Relic Agent can serve as an attack vector, but upgrading the dependency is easier than proving that no action is necessary.) I updated the Picnic fork of New Relic Agent 7.4.0 to include this change (JAR, diff). |
Thanks for the PR @ryan-lane !
@Stephan202 We ended up in a code freeze that will push our mid December release into Jan. I'll get this in front of the team to see what we need to do to break the freeze and about getting a point release out. |
@tbradellis tnx! As for my earlier remark: apache/logging-log4j2#608 (comment) confirms that (All of apache/logging-log4j2#608 is worth a read, I think.) |
quick update. We will be doing a point release, along with some other effort (the exact of which is undetermined at the moment) to help customers address older NR java agent builds. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Is it being backported to java agent 5.x? Ref: #605 (comment) |
@aSapien no, we will not be backporting to either the 4.x or 5.x code base. Per our security bulletin, if you cannot upgrade your agent to either |
Overview
log4j-core version bump to fix CVE-2021-44228