Update Java agent to use new version of log4j 2

[kbford56]

Is your feature request related to a problem? Please describe.

A well-publicized vulnerability has been discovered with certain versions of the log4j 2 framework. Some references:

• https://www.randori.com/blog/cve-2021-44228/
• https://www.lunasec.io/docs/blog/log4j-zero-day/
• https://www.veracode.com/blog/research/exploiting-jndi-injections-java
• https://issues.apache.org/jira/browse/LOG4J2-3198
• https://logging.apache.org/log4j/2.x/security.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Feature Description

Need to publish updated maint releases for the following major agent versions (these are still under support):

• Java Agent 7.4.1
• Java Agent 6.5.1
• Java Agent 7.4.2
• Java Agent 6.5.2
• Java Agent 7.4.3
• Java Agent 6.5.3

Describe Alternatives

A workaround to the issue has been described, to disable logging by setting the log level to off.
See security bulletin NR21-03 for the latest mitigation actions.

Additional context

Older versions of the Java Agent that are not currently supported will not be updated, in alignment with our published EOL policy.

Priority

Critical

[edwardlee1]

By turning the logging level to 'off' will it temporarily remediate the vulnerability?

[aSapien]

Java Agent 5.x should also still be supported and receive security patches. Is this fix being backported to older agents?

[Firefishy]

The updated Java Agent 6.5.1 breaks JDK7 compatibility.

[JamesUoM]

The updated Java Agent 6.5.1 breaks JDK7 compatibility.

6.5.0 states it's the last version to support JDK7 but presumably the implication was from 7.x onwards. We unfortunately do need JDK7 support.

[Firefishy]

The updated Java Agent 6.5.1 breaks JDK7 compatibility.

6.5.0 states it's the last version to support JDK7 but presumably the implication was from 7.x onwards. We unfortunately do need JDK7 support.

https://discuss.newrelic.com/t/log4j-zero-day-vulnerability-and-the-new-relic-java-agent/170322 says use 6.5.1 for JDK7 compatibility, but it appear v6.5.1 is NOT compatible with JDK7 because log4j 2.15.0 is not compatible with JDK7.

[tbradellis]

The updated Java Agent 6.5.1 breaks JDK7 compatibility.

We are looking at how to best address this in the agent. For immediate remediation the thing to do will be to use the workaround recommendations indicated by log4j in conjunction with Agent 6.5.0 or other appropriate agent version that will run on Java 7:

https://logging.apache.org/log4j/2.x/security.html

Mitigation: In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases >=2.7 and <=2.14.1, all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m. For releases >=2.0-beta9 and <=2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
Credit: This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team.

[Stephan202]

@tbradellis I suppose the New Relic Agent build could be updated to exclude JndiLookup.class from the final artifact.

In any case, New Relic isn't the only one with this issue: apache/logging-log4j2#608 (comment). Let's see what the response will be 👀.