Elastic-apm-agent-1.33.0.jar flagged by security scan

Our internal security team is running a scanning tool that is flagging the apm-agent-1.33.0.jar file as being insecure and vulnerable for the log4j vulnerability (CVE-2021-44228). In further investigation they found the apm-agent-java has a dependency on log4j 2.12.4 which is impacted by the vulnerability CVE-2021-44228.

Here is the link to the Elastic git code showing the dependency: apm-agent-java/pom.xml at main · elastic/apm-agent-java · GitHub

Can someone please verify if there are vulnerabilities with this version of the apm-agent that we should address. Thank you

Thank you for your report.

Elastic's security reporting guidelines are available at Security issues | Elastic.

Per those guidelines, all reports of potential security issues or vulnerabilities should be sent via email to security@elastic.co.

We are unable to discuss potential issues of this nature here. Please send your report to the email address above, where it can be appropriately handled.

Ok, I will send an email. Thank you for the information. This issue can be closed.

This is probably a false finding - see log4j history review and more info in our FAQ.
If there’s a new vulnerability that’s not yet patched in the latest version of the Elastic APM Java Agent, please report as @dadoonet describes.

https://logging.apache.org/log4j/2.x/security.html#fixed-in-log4j-2-17-1-java-8-2-12-4-java-7-and-2-3-2-java-6

2.12.4 is not vulnerable to CVE-2021-44228

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.