We are using apm-agent library (apm-agent-attach) in a java application, and we've seen lastest version of apm-agent (1.52.1) comes with log4j 2.12.4, which has some vulnerabilities.
Are there any plans to launch a new version of apm-agent with a newest version of log4j, or even with logback instead of it? Or any alternatives to avoid having a vulnerable version of log4j...
Which vulnerabilities? 2.12.4 is a patched version that includes the latest vulnerability fixes, the same as 2.24.3. We use 2.12.4 as it's the latest log4j that supports java 7. It's possible you are getting false positive security failures.
If your security scanning tool is unable to correct it's scanning and you need to satisfy it, you can use the java 8+ version of the agent which depends on 2.24+ log4j
Cheking endoflife Apache Webpage, Log4j 2.12.2 was released as an emergency release (to fix CVE-2021-45046 and CVE-2021-44228) and is the last 2.x release to support Java 7. The Log4j team no longer supports Java 7, so this release (while fixing the vulnerability) is no longer supported. This is a problem for some companies which have to be compliant with their ITRisk. Could the apm-agent-attach-java8 file be created to include elastic-apm-agent-java8?
This is a known issue with lots of dependency scanning software, we even mention it in our FAQ page that using our agent should be safe regarding the version of Log4j.
If you can't change the rules or the tool that does this risk assessment, you should be able to switch to the java8 variant, however as you've found this requires to also switch to the -javaagent JVM argument for agent setup. Also, if the tool you were using was relying on application dependencies like the ones defined in maven/gradle project, this would no longer be represented as a risk anymore as the agent should not be used as a regular application dependency and would thus be removed from this project descriptor.
Another alternative could also be to use the CLI attach setup and provide the java8 variant of the agent.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.