Our internal security team is running a scanning tool that is flagging the apm-agent-1.33.0.jar file as being insecure and vulnerable for the log4j vulnerability (CVE-2021-44228). In further investigation they found the apm-agent-java has a dependency on log4j 2.12.4 which is impacted by the vulnerability CVE-2021-44228.
Here is the link to the Elastic git code showing the dependency: apm-agent-java/pom.xml at main · elastic/apm-agent-java · GitHub
Can someone please verify if there are vulnerabilities with this version of the apm-agent that we should address. Thank you
Thank you for your report.
Elastic's security reporting guidelines are available at Security issues | Elastic.
Per those guidelines, all reports of potential security issues or vulnerabilities should be sent via email to firstname.lastname@example.org.
We are unable to discuss potential issues of this nature here. Please send your report to the email address above, where it can be appropriately handled.
Ok, I will send an email. Thank you for the information. This issue can be closed.
This is probably a false finding - see log4j history review and more info in our FAQ.
If there’s a new vulnerability that’s not yet patched in the latest version of the Elastic APM Java Agent, please report as @dadoonet describes.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.