A security update for the .NET agent corrects an issue where full SQL queries may be sent to the agent log.
Release date: January 16, 2020
Vulnerability identifier: NR20-01
The following New Relic agent versions are affected:
|Name||Affected version||Notes||Remediated version|
|188.8.131.52 - 184.108.40.206||220.127.116.11|
|.NET Framework agent||18.104.22.168 - 22.214.171.124||126.96.36.199|
In order to generate explain plans, a copy of the SQL query is created and the query is reissued with a request for the execution plan. If the explain plan fails, the agent may log the full SQL statement which could include the parameter values.
The agent will only log this information when set to the
FINEST logging levels.
- Ensure that logging level is not set to
- Disable capturing of explain plans.
- Ensure that file location of log files is secured.
- Update to the latest New Relic .NET agent.
Report vulnerabilities to New Relic
New Relic is committed to the security of our customers and their data. We believe that engaging with the security community is an important means of achieving our security goals, and we appreciate responsible disclosure of any vulnerabilities by security researchers.
If you believe you have found a security vulnerability in one of our products or websites, we welcome and greatly appreciate you reporting it to New Relic through one of these methods: