• Log inFree account

Apache Log4j Critical Vulnerability CVE-2021-44228 - CPM

Summary

New Relic released Containerized Private Minion (CPM) version 3.0.58 on 2021-12-21 to address critical vulnerabilities CVE-2021-44228,CVE-2021-45046, and CVE-2021-45105 in the open source Apache Log4j framework. A malicious actor may be able to execute arbitrary code using log messages or log message parameters.

New Relic also released Helm Charts version 1.0.46 on 2021-12-21 to address these vulnerabilities. Helm Charts version 1.0.46 contains the CPM version 3.0.58.

New Relic will update this Security Bulletin and our customer guidance as new information becomes available.

Vulnerability identifier: NR21-04

Priority: Critical

Affected software

Versions affected: All supported containerized private minion (CPM) versions prior to 3.0.58

Fixed version: 3.0.58, also available through Helm Charts version 1.0.46

New Relic Containerized Private Minion (CPM) version

Apache log4j version

3.0.55

2.15.0

3.0.57

2.16.0

3.0.58

2.17.0

If you use Helm Charts to update your CPM configurations, you will want to implement New Relic Helm Charts version 1.0.46. This will update your CPM to version 3.0.58.

Action items

To remediate CVE 2021-44228, CVE 2021-45046, and CVE 2021-45105 in the New Relic Containerized Private Minion, we recommend customers upgrade to version 3.0.58 as soon as possible. This version has been updated to use the remediated 2.17.0 version of the Apache Log4j framework. You may update your CPM through Helm Charts version 1.0.46.

This step will remediate your New Relic Containerized Private Minion (CPM) only. You may also need to update your New Relic Java agent. Please refer to NR21-03 for more information.

Customers using log4j directly in their applications should carefully review the Apache Log4j Security Vulnerabilities page for remediation details that should be considered.

Vulnerability information

A high level vulnerability was publicly disclosed for the log4j framework on 2021-12-09. An attacker is able to execute arbitrary code using log messages or log message parameters.

Frequently asked questions

Publication history

  • December 22, 2021: NR21-04 Major Revision:

    • New fix version 3.0.58 available to address CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105.
    • Addition of Helm Charts version 1.0.46 that contains the CPM 3.0.58 update.
  • December 17, 2021: NR21-04 Revision: Change in severity and technical description of CVE-2021-45046.

  • December 16, 2021: NR21-04 Major Revision:

    • Change in guidance regarding sufficiency of CPM 3.0.55 containing log4j version 2.15.0 to protect against exploitation of CVE-2021-44228.
    • Addition of Helm Charts version 1.0.45 that contains the CPM 3.0.57 update.
    • Update of NIST technical description of CVE-2021-44228.
  • December 14, 2021: NR21-04 Major Revision:

    • New fix version 3.0.57 released to address both CVE-2021-44228 and CVE-2021-45046.
    • Updated to provide better clarity between New Relic CPM updates and the best practices customers should take to secure their applications.
    • Added FAQ section.
  • December 13, 2021: NR21-04 published

Report security vulnerabilities to New Relic

New Relic is committed to the security of our customers and your data. If you believe you have found a security vulnerability in one of our products or websites, we welcome and greatly appreciate you reporting it to New Relic's coordinated disclosure program. For more information, see our documentation about reporting security vulnerabilities.

Copyright © 2022 New Relic Inc.