Security guidance for New Relic customers related to Apache Log4j vulnerabilities

New Relic has released Java Agent and Containerized Private Minion updates to address a critical vulnerability in the open-source Apache Log4j framework that was publicly disclosed on December 9, 2021, as well as an additional, low-risk vulnerability disclosed on December 14, 2021. The critical vulnerability (CVE-2021-44228) can be exploited to allow malicious actors to control systems remotely or exfiltrate data. As a valued New Relic customer, we want to provide you with more information about the vulnerability, what New Relic is doing to protect our systems against this vulnerability, and steps you can take to protect your organization from this issue. 

New Relic will update our Security Bulletins and customer guidance as new information becomes available. 

What has New Relic been doing to protect your data since the vulnerability was announced?

New Relic’s Security Response process was initiated shortly after the log4j vulnerability was published on December 9, 2021. Working with our established vulnerability management processes, our engineering teams rapidly released updates. Our teams are diligently working with New Relic engineers, our partners, vendors, and subprocessors to ensure we have comprehensive remediation across our internal infrastructure. 

What is the Apache Log4j JNDI Vulnerability CVE-2021-44228?

According to the NIST National Vulnerability Database,  Apache Log4j2 <=2.14.1 JNDI “features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.”  

Additionally, this vulnerability can be leveraged for data exfiltration even in scenarios where remote code execution has been mitigated. For this reason we advise, for CVE-2021-44228, updating all instances of log4j to 2.15.0 or implementing appropriate technical mitigations regardless of your current version of Java. 

What is the Apache Log4j CVE-2021-45046?

NIST National Vulnerability Database notes that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack.” 

Additionally, “Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).”

Thank you for putting your trust in New Relic

Keeping customer data secure is New Relic’s top priority; we have a well-established security program that includes vulnerability management components that continuously scan and monitor our applications and systems for new vulnerabilities. The vulnerability management program is reviewed annually as part of our SOC2 certification, and we are happy to share our latest SOC2 report as well as further details of our program under NDA.

As always, if you have any questions or need additional help, please reach out to your Account Team or visit support.newrelic.com to engage our Support Team.

Thank you,

The New Relic Security Team