• EnglishEspañol日本語한국어Português
  • Log inStart now

Security Bulletin NR18-07

Summary

A security update for the Java, Python, and .NET agents corrects an issue where the agent may report DB query results to New Relic or re-issue an SQL statement.

Release date: Mar 7, 2018

Vulnerability identifier: NR18-07

Priority: High

Affected software

The following New Relic agent versions are affected:

Name

Affected version

Notes

Remediated version

Java agent

3.26.1 to 3.47.0

SQL query

3.47.1

Python agent

1.1.0.192 to 2.106.0.87

SQL query

2.106.1.88

.NET agent

2.5.112.0 to 6.21.0.0

7.0.2.0 to 7.1.229

SQL query with MySQL

8.0 or 6.22 (For .NET Framework 3.5)

Vulnerability information

New Relic agents run explain plans for Slow Transaction Traces and Slow SQL Queries. Previous versions of the agents would run an explain plan on the SQL query by prepending the query with explain. This may cause an issue when there are multiple statements separated by semicolons in a single query. The first statement in the string returns its explain plan, but any subsequent statement after that may execute as a general SQL statement. Depending on the language, library, and database, the agent may return the results of the additional statements to New Relic. It is also possible that the additional statements could execute an additional INSERT or UPDATE command. With this security update, New Relic agents will no longer run explain plans on any query that contains a semicolon as a statement separator.

Mitigating factors

  • Many SQL libraries and language frameworks prevent various forms of executing multiple statements with explain.
  • Explain plans are off for newer versions of the .NET agent.

Workarounds

Disable explain plans with transaction tracer in the agent configuration:

Report security vulnerabilities to New Relic

New Relic is committed to the security of our customers and their data. If you believe you have found a security vulnerability in one of our products or websites, we welcome and greatly appreciate you reporting it to New Relic's coordinated disclosure program. For more information, see Reporting security vulnerabilities.

For more help

Additional documentation resources include:.

Copyright © 2024 New Relic Inc.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.