A security update for the Java, Python, and .NET agents corrects an issue where the agent may report DB query results to New Relic or re-issue an SQL statement.
Release date: Mar 7, 2018
Vulnerability identifier: NR18-07
The following New Relic agent versions are affected:
|Name||Affected version||Notes||Remediated version|
|Java agent||3.26.1 to 3.47.0||SQL query||3.47.1|
|Python agent||220.127.116.11 to 18.104.22.168||SQL query||22.214.171.124|
|.NET agent||SQL query with MySQL||8.0 or 6.22 (For .NET Framework 3.5)|
New Relic agents run explain plans for Slow Transaction Traces and Slow SQL Queries. Previous versions of the agents would run an explain plan on the SQL query by prepending the query with
explain. This may cause an issue when there are multiple statements separated by semicolons in a single query. The first statement in the string returns its explain plan, but any subsequent statement after that may execute as a general SQL statement. Depending on the language, library, and database, the agent may return the results of the additional statements to New Relic. It is also possible that the additional statements could execute an additional
UPDATE command. With this security update, New Relic agents will no longer run explain plans on any query that contains a semicolon as a statement separator.
Many SQL libraries and language frameworks prevent various forms of executing multiple statements with
Explain plans are off for newer versions of the .NET agent.
explain plans with transaction tracer in the agent configuration:
Report security vulnerabilities to New Relic
New Relic is committed to the security of our customers and their data. If you believe you have found a security vulnerability in one of our products or websites, we welcome and greatly appreciate you reporting it to New Relic's coordinated disclosure program. For more information, see Reporting security vulnerabilities.
For more help
Additional documentation resources include:.