Fixed a security issue that could send external HTTP request parameters to New Relic via transaction traces for applications that do all of the following:
- Use Java agent 3.6.0 or higher*
- Use Apache HttpClient 4.0 or higher
- Haven’t disabled transaction_traces
*For Java agent versions 3.6.0-3.25.0, this issue only affects cross-application traces.
Recommended for applications that may include sensitive information in external service call request parameters.
If you can’t upgrade the agent immediately, there are a few workarounds:
- Disable transaction traces
- Disable only cross-application tracing. This resolves the issue with Java agents prior to 3.26.0.
You can also delete existing transaction traces.