Security bulletins

This document contains important information regarding security vulnerabilities that could affect some versions of New Relic products and service. Security bulletins are a way for us to let you know about security vulnerabilities, remediation strategies, and applicable updates for affected software. For more information, see our documentation about security, data privacy, and compliance, or visit the New Relic security website.

Get security notifications

To receive notifications for future advisories, use either of these options:

APM

Security bulletins for our APM agents include a vulnerability rating.

Security bulletin Summary and related release notes Rating
NR20-02, 8/20/2020 The agent does not remove the URI from transaction traces when request.uri has been disabled in attribute configuration. See the Node.js agent release notes. Medium
NR20-01, 1/16/2020 The agent may capture full SQL queries when an exception occurs. See the .NET agent release notes. Medium
NR19-05, 8/26/2019 Incorrect metric names created with non-parameterized queries may contain sensitive information. See the .NET agent release notes. Medium
NR19-03, 4/22/2019 Query obfuscation may fail in Microsoft SQL server. See the .NET agent release notes. Medium
NR19-02, 4/1/2019 Segment attributes may include request parameters in high security mode or when using configurable security policies. See the Node.js agent release notes. Medium
NR19-01, 1/9/2019 OpenRasta instrumentation may capture query strings. See the .NET agent release notes. Medium
NR18-09, 5/2/2018 The agent may capture sensitive data when record_sql is set to off. See the Java agent release notes. Low
NR18-08, 4/12/2018 The agent uses a vulnerable https-proxy-agent Node module. See the Node.js agent release notes. Low
NR18-07, 3/7/2018 The agents may report DB query results to New Relic or reissue an SQL statement. See the release notes for the Python, Java, and .NET agents. High
NR18-06, 3/5/2018 The agent may capture all transaction attributes. See the Node.js agent release notes. High
NR18-04, 1/22/2018 Error messages are not removed in high security mode. See the .NET agent release notes. Medium
NR18-02, 1/9/2018 The agent may not obfuscate SQL params with SQLite. See the Python agent release notes. Medium
NR18-01, 1/9/2018 The agent may capture custom API parameters in high security mode. See the Python agent release notes. Medium
NR17-06, 12/18/2017 The agent captures external HTTP request parameters during a transaction trace. See the .NET agent release notes. Medium
NR17-05, 5/30/2017 The agent may capture full SQL queries when an exception occurs. See the Java agent release notes. High
NR17-04, 5/5/2017 The agent captures WCF service request parameters during a TransactionError. See the .NET agent release notes. Medium
NR17-03, 2/9/2017 MongoDB aggregate queries not obfuscated. See the Ruby agent release notes. Low
NR17-02, 1/12/2017 Query parameters are not removed from the referer attribute in error trace. See the .NET agent release notes. Medium
NR17-01, 1/12/2017 Query parameters are not removed from the referer attribute in error trace. See the Node.js agent release notes. Medium

Infrastructure monitoring

Security bulletins for infrastructure monitoring include a vulnerability rating.

Security bulletin Summary and related release notes Rating
NR18-12, 11/28/18 Windows agent may follow unprivileged hard links or junction folders. See the agent release notes for infrastructuring monitoring Low
NR18-11, 10/8/18 Windows agent may execute privileged binaries in the system path. See the agent release notes for infrastructuring monitoring. Medium
NR18-10, 6/18/18 Hard-coded file path allows for user-controlled configuration. See the agent release notes for infrastructuring monitoring. High
NR18-05, 2/8/2018 Command line options may be captured. See the agent release notes for infrastructuring monitoring. High

Synthetic monitoring

Security bulletins for synthetic monitoring include a vulnerability rating.

Security bulletin Summary and related release notes Rating
NR19-04, 7/22/2019 Sensitive data may appear in logs. See the release notes for containerized private minions. Medium
NR18-03, 1/12/2018 Update private minions for Meltdown (CVE-2017-5754). See the release notes for containerized private minions. High

Security vulnerability ratings

At New Relic, we use four levels to rate security vulnerability.

Rating Description
Critical A vulnerability in a New Relic product or service that could be exploited to compromise the confidentiality or integrity of your data.
High Atypical or unintended information is likely to be received by New Relic, potentially compromising the confidentiality or integrity of your data.
Medium Atypical or unintended information could be received by New Relic, but the risk of compromise is mitigated by default configuration or standard security practices.
Low Atypical or unintended information may be received by New Relic, but the vulnerability would be difficult to exploit, or it would have minimal impact.

Report security vulnerabilities to New Relic

New Relic is committed to the security of our customers and your data. If you believe you have found a security vulnerability in one of our products, services, or websites, we welcome and greatly appreciate you reporting it to our coordinated disclosure program. For more information, see our documentation about reporting security vulnerabilities via HackerOne.

For more help

If you need more help, check out these support and learning resources: