Summary
New Relic released Containerized Private Minion (CPM) version 3.0.58 on 2021-12-21 to address critical vulnerabilities CVE-2021-44228,CVE-2021-45046, and CVE-2021-45105 in the open source Apache Log4j framework. A malicious actor may be able to execute arbitrary code using log messages or log message parameters.
New Relic also released Helm Charts version 1.0.46 on 2021-12-21 to address these vulnerabilities. Helm Charts version 1.0.46 contains the CPM version 3.0.58.
New Relic will update this Security Bulletin and our customer guidance as new information becomes available.
Vulnerability identifier: NR21-04
Priority: Critical
Affected software
Versions affected: All supported containerized private minion (CPM) versions prior to 3.0.58
Fixed version: 3.0.58, also available through Helm Charts version 1.0.46
New Relic Containerized Private Minion (CPM) version | Apache log4j version |
|---|---|
3.0.55 | 2.15.0 |
3.0.57 | 2.16.0 |
3.0.58 | 2.17.0 |
If you use Helm Charts to update your CPM configurations, you will want to implement New Relic Helm Charts version 1.0.46. This will update your CPM to version 3.0.58.
Action items
To remediate CVE 2021-44228, CVE 2021-45046, and CVE 2021-45105 in the New Relic Containerized Private Minion, we recommend customers upgrade to version 3.0.58 as soon as possible. This version has been updated to use the remediated 2.17.0 version of the Apache Log4j framework. You may update your CPM through Helm Charts version 1.0.46.
This step will remediate your New Relic Containerized Private Minion (CPM) only. You may also need to update your New Relic Java agent. Please refer to NR21-03 for more information.
Customers using log4j directly in their applications should carefully review the Apache Log4j Security Vulnerabilities page for remediation details that should be considered.
Vulnerability information
A high level vulnerability was publicly disclosed for the log4j framework on 2021-12-09. An attacker is able to execute arbitrary code using log messages or log message parameters.
- CVE-2021-44228 CVSS 10.0
- CVE-2021-45046 CVSS 9.0
- CVE-2021-45105 CVSS 7.5
- Security guidance for New Relic customers related to Apache Log4j vulnerabilities
- How to help identify systems with vulnerable log4j versions using New Relic
- Apache log4j Security Vulnerabilities
- New Relic Support Forum
Frequently asked questions
Publication history
December 22, 2021: NR21-04 Major Revision:
- New fix version 3.0.58 available to address CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105.
- Addition of Helm Charts version 1.0.46 that contains the CPM 3.0.58 update.
December 17, 2021: NR21-04 Revision: Change in severity and technical description of CVE-2021-45046.
December 16, 2021: NR21-04 Major Revision:
- Change in guidance regarding sufficiency of CPM 3.0.55 containing log4j version 2.15.0 to protect against exploitation of CVE-2021-44228.
- Addition of Helm Charts version 1.0.45 that contains the CPM 3.0.57 update.
- Update of NIST technical description of CVE-2021-44228.
December 14, 2021: NR21-04 Major Revision:
- New fix version 3.0.57 released to address both CVE-2021-44228 and CVE-2021-45046.
- Updated to provide better clarity between New Relic CPM updates and the best practices customers should take to secure their applications.
- Added FAQ section.
December 13, 2021: NR21-04 published
Report security vulnerabilities to New Relic
New Relic is committed to the security of our customers and your data. If you believe you have found a security vulnerability in one of our products or websites, we welcome and greatly appreciate you reporting it to New Relic's coordinated disclosure program. For more information, see our documentation about reporting security vulnerabilities.