Security bulletins

This document contains important information regarding security vulnerabilities that could affect some versions of New Relic products. Security bulletins are a way for New Relic to let users know about security vulnerabilities, remediation strategies, and applicable updates for affected software. For more information about New Relic's security measures, visit the New Relic security website.

To receive notifications for future advisories, select New Relic's RSS feed, or watch the topics in New Relic's Security Notifications community channel to receive email alerts.

APM

Security bulletins for New Relic APM agents include a vulnerability rating.

Date Number Security bulletin details Release notes Rating
1/22/2018 NR18-04 Error messages are not removed in high security mode .NET agent Medium
1/9/2018 NR18-02 Agent may not obfuscate SQL params with SQLite Python agent Medium
1/9/2018 NR18-01 Agent may capture custom API parameters in High Security Mode Python agent Medium
12/18/2017 NR17-06 Agent captures external HTTP request parameters during a transaction trace .NET agent Medium
5/30/2017 NR17-05 Agent may capture full SQL queries when an exception occurs Java agent High
5/5/2017 NR17-04 Agent captures WCF service request parameters during a TransactionError .NET agent Medium
2/9/2017 NR17-03 MongoDB aggregate queries not obfuscated Ruby agent Low
1/12/2017 NR17-02 Query parameters not removed from referer attribute in error trace .NET agent Medium
1/12/2017 NR17-01 Query parameters not removed from referer attribute in error trace Node.js agent Medium

Infrastructure

Security bulletins for New Relic Infrastructure include a vulnerability rating.

Date Number Security bulletin details Release notes Rating
2/8/2018 NR18-05 Command line options may be captured Infrastructure agent High

Synthetics

Security bulletins for New Relic Synthetics include a vulnerability rating.

Date Number Security bulletin details Release notes Rating
1/12/2018 NR18-03 Update private minions for Meltdown (CVE-2017-5754) Minions High

Report security vulnerabilities to New Relic

New Relic is committed to the security of our customers and their data. We believe that providing coordinated disclosure by security researchers and engaging with the security community are important means to achieve our security goals.

If you believe you have found a security vulnerability in one of New Relic's products or websites, we welcome and greatly appreciate you reporting it to New Relic through one of these methods:

Security vulnerability ratings

New Relic uses four levels to rate security vulnerability.

Rating Description
Critical A vulnerability in a New Relic product that could be exploited to compromise the confidentiality or integrity of application data.
High Atypical or unintended information is likely to be received by New Relic, potentially compromising the confidentiality or integrity of application data.
Medium Atypical or unintended information could be received by New Relic, but the risk of compromise is mitigated by default configuration or standard security practices.
Low Atypical or unintended information may be received by New Relic, but the vulnerability would be difficult to exploit or have minimal impact.

For more help

Recommendations for learning more: