Summary
New Relic is recommending that customers who deploy the .NET agent in a configuration employing Microsoft Extensions Logging (MEL) should update to version 10.1.0 or later to address an issue where New Relic .NET agents (v9.7.0 to 10.0.0) would forward any level of MEL logging level, regardless of configuration.
This guidance applies to users of the .NET agent versions 9.7.0 through 10.0.0 that use the MEL logging framework. .NET agents that use Log4net, Serilog, and NLog logging frameworks are not affected.
Affected software
.NET agent version | Logging framework | Required conditions | Affected/not affected |
|---|---|---|---|
.NET agent 9.7.0 through 10.0.0 | Microsoft Extensions Logging (MEL) | Log forwarding enabled and log level set | Affected |
.NET agent all versions | Log4Net, Serilog, or NLog logging | Not affected | |
.NET agent 9.7.0 | Microsoft Extensions Logging (MEL) | Default configuration (Log forwarding not enabled) | Not affected |
.NET agent 9.8.0 through 10.0.0 | Microsoft Extensions Logging (MEL) | Log forwarding disabled | Not affected |
.NET agent 9.7.0 through 10.0.0 | Microsoft Extensions Logging (MEL) | Configured to forward all Microsoft Extension Logging levels | Not affected |
.NET agent before 9.7.0 | n/a | Not affected | |
.NET agent 10.1.0 and later | Microsoft Extensions Logging (MEL) | Not affected | |
.NET agent all versions | n/a | Deployed in Linux | Not affected |
Fixed in:
- New Relic .NET agent versions 10.1.0 and later
Recommended action:
- Customers who use Microsoft Extension Logging should upgrade to version 10.1.0 or later
- Technical Links: Updating the .NET agent
- Workarounds: Affected customers who cannot update their .NET agents to 10.1.0 or later at this time can disable log forwarding.
Technical details:
Version 10.1.0 remediates an error in the timing of the instrumentation point for Microsoft Extensions Logging to correctly send MEL data after the built-in log level filtering occurs.
Timeline details
This issue was introduced when New Relic added support for the log forwarding feature with Microsoft Extensions Logging (MEL) framework in .NET Core applications in .NET agent v 9.7.0 (April 4, 2022) and in .NET Framework applications in v 10.0.0 (July 19, 2022). In version 9.7.0, the log forwarding feature was disabled by default, so customers using version 9.7.0.0 may only be affected by this issue if they have manually configured log forwarding.
In version 9.8.0 (May 5th, 2022), the log forwarding feature was enabled by default.
The issue was fixed with the release of .NET agent version 10.1.0, released on September 12, 2022.
Frequently asked questions
- What is a Security Guidance document? New Relic has issued this Security Guidance document to notify customers of the need to update their software to address a software bug that, while it cannot be exploited by a third party to gain access to customer data, still has actionable security or privacy recommendations for customers.
- Is it possible for a third-party to exploit this issue to access log data that is forwarded to New Relic? No, the issue does not allow for exposure of data to a third party. We use a comprehensive set of technical controls to support security for data we receive. For more information, see our documentation about data security and data encryption.
- Once I deploy version 10.1.0 of the New Relic .NET agent, do I have to do anything else? No, there are no further configuration changes required after updating. We recommend that you check your set configurations to make sure that they match your desired settings.
- I am using the .NET agent but not using Microsoft Extensions Logging for log forwarding. Am I impacted? No, this issue only impacts .NET applications using MEL for their logging. MEL logging was introduced in version 9.7.0 for .NET Core applications and 10.0.0 for .NET Framework applications.
- I am using the .NET agent but have disabled the log forwarding feature. Am I impacted? No, this issue only impacts .NET applications using the log forwarding feature and the MEL framework.