This document contains important information regarding security vulnerabilities that could affect some versions of New Relic products and service. Security bulletins are a way for us to let you know about security vulnerabilities, remediation strategies, and applicable updates for affected software. For more information, see our documentation about security, data privacy, and compliance, or visit the New Relic security website.
Get security notifications
To get notified about new bulletins, subscribe to the RSS feed.
General
These bulletins apply to multiple New Relic features or capabilities:
Security bulletin | Summary |
---|---|
Advisory related to security investigation concluded January 31, 2024 |
APM
Security bulletins for our APM agents include a vulnerability rating.
Security bulletin | Summary and related release notes | Rating |
---|---|---|
New Relic recommends that customers who deploy the .NET Agent in a configuration using Microsoft Extensions Logging (MEL) should update to version 10.1.0 or later. | Low | |
NR21-03, original date 12/10/2021 | The Java agent use of the Apache log4j logging framework and procedures to address CVE-2021-44228 and CVE-2021-45046. Bulletin includes action items and links to related release notes. | Critical |
NR21-02, 4/26/2021 | The Java agent implements a YAML parser that may lead to limited code execution when parsing a crafted YAML payload. | Low |
NR20-02, 8/20/2020 | The agent does not remove the URI from transaction traces when | Medium |
NR20-01, 1/16/2020 | The agent may capture full SQL queries when an exception occurs. See the .NET agent release notes. | Medium |
NR19-05, 8/26/2019 | Incorrect metric names created with non-parameterized queries may contain sensitive information. See the .NET agent release notes. | Medium |
NR19-03, 4/22/2019 | Query obfuscation may fail in Microsoft SQL server. See the .NET agent release notes. | Medium |
NR19-02, 4/1/2019 | Segment attributes may include request parameters in high-security mode or when using configurable security policies. See the Node.js agent release notes. | Medium |
NR19-01, 1/9/2019 | OpenRasta instrumentation may capture query strings. See the .NET agent release notes. | Medium |
NR18-09, 5/2/2018 | The agent may capture sensitive data when | Low |
NR18-08, 4/12/2018 | The agent uses a vulnerable | Low |
NR18-07, 3/7/2018 | The agents may report DB query results to New Relic or reissue an SQL statement. See the release notes for the Python, Java, and .NET agents. | High |
NR18-06, 3/5/2018 | The agent may capture all transaction attributes. See the Node.js agent release notes. | High |
NR18-04, 1/22/2018 | Error messages are not removed in high-security mode. See the .NET agent release notes. | Medium |
NR18-02, 1/9/2018 | The agent may not obfuscate SQL params with SQLite. See the Python agent release notes. | Medium |
NR18-01, 1/9/2018 | The agent may capture custom API parameters in high-security mode. See the Python agent release notes. | Medium |
NR17-06, 12/18/2017 | The agent captures external HTTP request parameters during a transaction trace. See the .NET agent release notes. | Medium |
NR17-05, 5/30/2017 | The agent may capture full SQL queries when an exception occurs. See the Java agent release notes. | High |
NR17-04, 5/5/2017 | The agent captures WCF service request parameters during a | Medium |
NR17-03, 2/9/2017 | MongoDB aggregate queries not obfuscated. See the Ruby agent release notes. | Low |
NR17-02, 1/12/2017 | Query parameters are not removed from the | Medium |
NR17-01, 1/12/2017 | Query parameters are not removed from the | Medium |
Infrastructure monitoring
Security bulletins for infrastructure monitoring include a vulnerability rating.
Security bulletin | Summary and related release notes | Rating |
---|---|---|
NR24-01, 6/8/24 | New Relic has released new versions of several log forwarding services to eliminate use of a recently announced vulnerable version of Fluent Bit. | High |
NR18-12, 11/28/18 | Windows agent may follow unprivileged hard links or junction folders. See the agent release notes for infrastructuring monitoring | Low |
NR18-11, 10/8/18 | Windows agent may execute privileged binaries in the system path. See the agent release notes for infrastructuring monitoring. | Medium |
NR18-10, 6/18/18 | Hard-coded file path allows for user-controlled configuration. See the agent release notes for infrastructuring monitoring. | High |
NR18-05, 2/8/2018 | Command line options may be captured. See the agent release notes for infrastructuring monitoring. | High |
Browser monitoring
Security bulletins for include a vulnerability rating.
Security bulletin | Summary and related release notes | Rating |
---|---|---|
NR21-01, 3/9/2021 | The agent does not properly sanitize local file URIs when an instrumented HTML page is opened directly from the operating systems's filesystem. | Medium |
Synthetic monitoring
Security bulletins for synthetic monitoring include a vulnerability rating.
Security bulletin | Summary and related release notes | Rating |
---|---|---|
NR22-01, 1/13/2022 | Containerized private minion (CPM) procedures to specifically remove subdependencies on log4j version 1.2.17 | High |
NR21-04, original date 12/13/2021 | Containerized private minion (CPM) procedures to address CVE-2021-44228 and CVE-2021-45046. Bulletin includes action items and links to related release notes. | Critical |
NR19-04, 7/22/2019 | Sensitive data may appear in logs. See the release notes for containerized private minions. | Medium |
NR18-03, 1/12/2018 | Update private minions for Meltdown (CVE-2017-5754). See the release notes for containerized private minions. | High |
Other
Security bulletins in this general category include a vulnerability rating.
Security bulletin | Summary and related release notes | Rating |
---|---|---|
NR24-02, 07/18/2024 | Procedures to address a vulnerability in OpenSSH that affects New Relic Salesforce Exporter. | High |
Security vulnerability ratings
At New Relic, we use four levels to rate security vulnerability.
Rating | Description |
---|---|
Critical | A vulnerability in a New Relic product or service that could be exploited to compromise the confidentiality or integrity of your data. |
High | Atypical or unintended information is likely to be received by New Relic, potentially compromising the confidentiality or integrity of your data. |
Medium | Atypical or unintended information could be received by New Relic, but the risk of compromise is mitigated by default configuration or standard security practices. |
Low | Atypical or unintended information may be received by New Relic, but the vulnerability would be difficult to exploit, or it would have minimal impact. |
Report security vulnerabilities to New Relic
New Relic is committed to the security of our customers and your data. If you believe you have found a security vulnerability in one of our products, services, or websites, we welcome and greatly appreciate you reporting it to our coordinated disclosure program. For more information, see our documentation about reporting security vulnerabilities.