Upgrade log4j-core version bump to fix CVE-2021-44228

[ryan-lane]

Overview

log4j-core version bump to fix CVE-2021-44228

[CLAassistant]

All committers have signed the CLA.

[Stephan202]

The latest Log4J2 tag right now is log4j-2.15.0-rc2, so it's not 100% clear what the contents of the 2.15.0 release on Maven Central are (somebody asked about it here: apache/logging-log4j2#608 (comment)), but given the severity of the issue it'd be good to see a release with this change.

(It's not clear that the New Relic Agent can serve as an attack vector, but upgrading the dependency is easier than proving that no action is necessary.)

I updated the Picnic fork of New Relic Agent 7.4.0 to include this change (JAR, diff).

[tbradellis]

Thanks for the PR @ryan-lane !

(It's not clear that the New Relic Agent can serve as an attack vector, but upgrading the dependency is easier than proving that no action is necessary.)

@Stephan202 We ended up in a code freeze that will push our mid December release into Jan. I'll get this in front of the team to see what we need to do to break the freeze and about getting a point release out.

[Stephan202]

@tbradellis tnx!

As for my earlier remark: apache/logging-log4j2#608 (comment) confirms that log4j-2.15.0-rc2 indeed matches the code published to Maven Central as 2.15.0.

(All of apache/logging-log4j2#608 is worth a read, I think.)

[tbradellis]

quick update. We will be doing a point release, along with some other effort (the exact of which is undetermined at the moment) to help customers address older NR java agent builds.

[tbradellis]

lgtm

[aSapien]

Is it being backported to java agent 5.x?

Ref: #605 (comment)

[kford-newrelic]

@aSapien no, we will not be backporting to either the 4.x or 5.x code base. Per our security bulletin, if you cannot upgrade your agent to either 6.5.2 or 7.4.3, we recommend that you turn agent logging OFF until you can upgrade.