Upgrade log4j-core version bump 2.16.0

[hunt3rkillerz]

Bumping to version 2.16.0 to users are protected from potential bypasses existing in pattern formatters.

Apache's patch notes for 2.16.0: The mitigation advice for CVE-2021-4428 suggests that for Log4j > 2.10.0 and < 2.15.0, the vulnerability can be avoided by setting -Dlog4j2.formatMsgNoLookups=true or upgrading to 2.15.0. However, many users may not be aware that even in this case, lookups used in pattern formatters to provide specific pieces of context information will still recursively resolve, possibly triggering JNDI lookups.

REF: https://issues.apache.org/jira/plugins/servlet/mobile#issue/LOG4J2-3221

Issue Link: https://github.com/newrelic/newrelic-java-agent/issues/605

[CLAassistant]

All committers have signed the CLA.

[jinzishuai]

Do we need this? We are quite concerned about the incomplete fix of log4j-2.15: https://github.com/advisories/GHSA-7rjr-3q55-vv33

[dylanmei]

We need it because 2.15 is incomplete: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

[jasonjkeller]

Thanks for this. With the new Log4j vulnerability just coming to light we're currently investigating our options and if we need to get this out in another point release asap.

[hunt3rkillerz]

Totally cool, my thoughts on this are currently that bumping the version is great coverage to stay ahead of any innovative ways to leverage the remaining attack surface utilising the Log4J bugs. As the situation is evolving pretty rapidly it's likely better to be safe (in my personal oppinion)

[jasonjkeller]

@hunt3rkillerz This change has been published in our 7.4.2 point release and will also be included in the next minor release of the agent. Thanks again!

[jasonjkeller]

@dylanmei ^^^^

[hunt3rkillerz]

Thanks @jasonjkeller, would it be possible to do a 6.x release for this too by any chance? I imagine a lot of people may benefit from that 😄

[jasonjkeller]

@hunt3rkillerz We plan to do another 6.x point release but we're waiting for the Log4j folks to release the back-ported fix to a version of Log4j that supports Java 7, as the 6.x range of agents should remain Java 7 compatible. Unfortunately we broke that backwards compatibility with the 6.5.1 patch but we'd like to remedy that now that we know that a back-port should happen.

[benders]

Speaking for New Relic: Our analysis does not show the Java Agent to be vulnerable to CVE-2021-45046, which is harder to exploit than the original issue. Any application running Agent 6.5.1 or 7.4.1, or using -Dlog4j2.formatMsgNoLookups=true should still be protected. Because of this, we feel comfortable waiting for the (hopefully imminent) Java 7 compatible backport for our 6.x series.