Fixes
- Upgraded log4j to 2.15.0 to mitigate the security vulnerability CVE-2021-44228. 605
Recommended Java versions
This fix is only recommended if you are running on Java 7 or are otherwise unable to upgrade to Java agent 7.4.1- Log4j 2.15.0, which fixes the security vulnerability CVE-2021-44228, is only compatible with Java 8+. Therefore this version of the agent is not compatible with Java 7 and is only recommended if you are using Java 8+ and are otherwise unable to upgrade to Java agent 7.4.1.
Mitigation for Java 7
Java agent versions 4.12.0 through 6.5.0 (which support Java 7) use Log4j 2.11.2 which falls into the affected range. For Java 7 users the recommended mitigation from Apache Log4j Security Vulnerabilities is to set the system property -Dlog4j2.formatMsgNoLookups=true.
Mitigation: In releases >=2.10, this behavior can be mitigated by setting either the system property
log4j2.formatMsgNoLookups. For releases >=2.7 and <=2.14.1, allPatternLayoutpatterns can be modified to specify the message converter as%m{nolookups}instead of just%m. For releases >=2.0-beta9 and <=2.10.0, the mitigation is to remove theJndiLookupclass from the classpath:zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
Note: The alternate approach of defining the LOG4J_FORMAT_MSG_NO_LOOKUPS=true environment variable will not work with the NR Java Agent.