Summary
A security update for New Relic's Ruby agent fixes a vulnerability where the agent could unintentionally capture raw aggregate queries with MongoDB. New Relic recommends updating to the latest remediated version.
Release date: February 9, 2017
Vulnerability identifier: NR17-03
Priority: Low
Affected software
The following New Relic agent versions are affected:
Name | Affected version | Notes | Remediated version |
---|---|---|---|
Ruby agent | 3.13.1 (and greater) | With MongoDB driver 2.1 (and greater) |
Vulnerability information
New Relic’s Ruby agent version 3.13.1 added visibility to MongoDB queries with version 2.1 and greater of the MongoDB driver for Ruby. The agent's default setting for mongo.obfuscate_queries is true. This should cause the agent to obfuscate the values in Mongo queries before sending this information to New Relic. However, when using the aggregate pipeline with this version of the driver, the aggregate queries were not properly obfuscated.
Mitigating factors
- Only customers who use version 2.1 and greater of the Ruby Driver for MongoDB are affected
- Aggregate queries generally do not contain sensitive information
Workarounds
Users who are affected and are unable to upgrade may choose to configure the Ruby agent to not capture mongoDB queries. Users can set mongo.capture_queries to false to prevent the agent from sending any information about the query.
Report security vulnerabilities to New Relic
New Relic is committed to the security of our customers and their data. If you believe you have found a security vulnerability in one of our products or websites, we welcome and greatly appreciate you reporting it to New Relic's coordinated disclosure program. For more information, see Reporting security vulnerabilities.
For more help
Additional documentation resources include:.