Our internal security team is running a scanning tool that is flagging the apm-agent-1.33.0.jar file as being insecure and vulnerable for the log4j vulnerability (CVE-2021-44228). In further investigation they found the apm-agent-java has a dependency on log4j 2.12.4 which is impacted by the vulnerability CVE-2021-44228.
Per those guidelines, all reports of potential security issues or vulnerabilities should be sent via email to security@elastic.co.
We are unable to discuss potential issues of this nature here. Please send your report to the email address above, where it can be appropriately handled.
This is probably a false finding - see log4j history review and more info in our FAQ.
If there’s a new vulnerability that’s not yet patched in the latest version of the Elastic APM Java Agent, please report as @dadoonet describes.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.