CVE-2021-45105 and CVE-2020-9488 vulnerabilities with java apm agent 1.28.4

After we upgraded to java apm agent version to 1.28.4 from 1.23.0 there were 2 vulnerabilities newly added

And as I see in 1.28.4 version i could see log4j version being used is 2.12.4, so is there any plan to upgrade it 2.17.0 version or any workaround to mitigate these vulnerabilities as these are being picked by application scans

Log4j 2.12.4, which is used in the Elastic APM Java Agent 1.28.4 addresses these vulnerabilities.

See also Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 and Log4j – Apache Log4j Security Vulnerabilities.

If your vulnerability scanner doesn't detect that Log4j 2.12.4/Elastic APM Java Agent 1.28.4 contains fixes to these CVEs, please get in touch with the vendor of this scanner so that they can update their policies.

The reason we can't update to Log4j 2.17.0 is that this version doesn't support Java 7. As the Java agent still does support Java 7, we're using the latest 1.12.x version which contains all the security fixes.

@felixbarny thank you for your response.

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.