• EnglishEspañol日本語한국어Português
  • Log inStart now

Security bulletins

This document contains important information regarding security vulnerabilities that could affect some versions of New Relic products and service. Security bulletins are a way for us to let you know about security vulnerabilities, remediation strategies, and applicable updates for affected software. For more information, see our documentation about security, data privacy, and compliance, or visit the New Relic security website.

Get security notifications

To get notified about new bulletins, subscribe to the RSS feed.

General

These bulletins apply to multiple New Relic features or capabilities:

Security bulletin

Summary

NR23-01 — Security Advisory

Advisory related to ongoing security investigation

APM

Security bulletins for our APM agents include a vulnerability rating.

Security bulletin

Summary and related release notes

Rating

NRSG22-01

New Relic recommends that customers who deploy the .NET Agent in a configuration using Microsoft Extensions Logging (MEL) should update to version 10.1.0 or later.

Low

NR21-03, original date 12/10/2021

The Java agent use of the Apache log4j logging framework and procedures to address CVE-2021-44228 and CVE-2021-45046. Bulletin includes action items and links to related release notes.

Critical

NR21-02, 4/26/2021

The Java agent implements a YAML parser that may lead to limited code execution when parsing a crafted YAML payload.

Low

NR20-02, 8/20/2020

The agent does not remove the URI from transaction traces when request.uri has been disabled in attribute configuration. See the Node.js agent release notes.

Medium

NR20-01, 1/16/2020

The agent may capture full SQL queries when an exception occurs. See the .NET agent release notes.

Medium

NR19-05, 8/26/2019

Incorrect metric names created with non-parameterized queries may contain sensitive information. See the .NET agent release notes.

Medium

NR19-03, 4/22/2019

Query obfuscation may fail in Microsoft SQL server. See the .NET agent release notes.

Medium

NR19-02, 4/1/2019

Segment attributes may include request parameters in high-security mode or when using configurable security policies. See the Node.js agent release notes.

Medium

NR19-01, 1/9/2019

OpenRasta instrumentation may capture query strings. See the .NET agent release notes.

Medium

NR18-09, 5/2/2018

The agent may capture sensitive data when record_sql is set to off. See the Java agent release notes.

Low

NR18-08, 4/12/2018

The agent uses a vulnerable https-proxy-agent Node.js module. See the Node.js agent release notes.

Low

NR18-07, 3/7/2018

The agents may report DB query results to New Relic or reissue an SQL statement. See the release notes for the Python, Java, and .NET agents.

High

NR18-06, 3/5/2018

The agent may capture all transaction attributes. See the Node.js agent release notes.

High

NR18-04, 1/22/2018

Error messages are not removed in high-security mode. See the .NET agent release notes.

Medium

NR18-02, 1/9/2018

The agent may not obfuscate SQL params with SQLite. See the Python agent release notes.

Medium

NR18-01, 1/9/2018

The agent may capture custom API parameters in high-security mode. See the Python agent release notes.

Medium

NR17-06, 12/18/2017

The agent captures external HTTP request parameters during a transaction trace. See the .NET agent release notes.

Medium

NR17-05, 5/30/2017

The agent may capture full SQL queries when an exception occurs. See the Java agent release notes.

High

NR17-04, 5/5/2017

The agent captures WCF service request parameters during a TransactionError. See the .NET agent release notes.

Medium

NR17-03, 2/9/2017

MongoDB aggregate queries not obfuscated. See the Ruby agent release notes.

Low

NR17-02, 1/12/2017

Query parameters are not removed from the referer attribute in error trace. See the .NET agent release notes.

Medium

NR17-01, 1/12/2017

Query parameters are not removed from the referer attribute in error trace. See the Node.js agent release notes.

Medium

Infrastructure monitoring

Security bulletins for infrastructure monitoring include a vulnerability rating.

Security bulletin

Summary and related release notes

Rating

NR18-12, 11/28/18

Windows agent may follow unprivileged hard links or junction folders. See the agent release notes for infrastructuring monitoring

Low

NR18-11, 10/8/18

Windows agent may execute privileged binaries in the system path. See the agent release notes for infrastructuring monitoring.

Medium

NR18-10, 6/18/18

Hard-coded file path allows for user-controlled configuration. See the agent release notes for infrastructuring monitoring.

High

NR18-05, 2/8/2018

Command line options may be captured. See the agent release notes for infrastructuring monitoring.

High

Browser monitoring

Security bulletins for include a vulnerability rating.

Security bulletin

Summary and related release notes

Rating

NR21-01, 3/9/2021

The agent does not properly sanitize local file URIs when an instrumented HTML page is opened directly from the operating systems's filesystem.

Medium

Synthetic monitoring

Security bulletins for synthetic monitoring include a vulnerability rating.

Security bulletin

Summary and related release notes

Rating

NR22-01, 1/13/2022

Containerized private minion (CPM) procedures to specifically remove subdependencies on log4j version 1.2.17

High

NR21-04, original date 12/13/2021

Containerized private minion (CPM) procedures to address CVE-2021-44228 and CVE-2021-45046. Bulletin includes action items and links to related release notes.

Critical

NR19-04, 7/22/2019

Sensitive data may appear in logs. See the release notes for containerized private minions.

Medium

NR18-03, 1/12/2018

Update private minions for Meltdown (CVE-2017-5754). See the release notes for containerized private minions.

High

Security vulnerability ratings

At New Relic, we use four levels to rate security vulnerability.

Rating

Description

Critical

A vulnerability in a New Relic product or service that could be exploited to compromise the confidentiality or integrity of your data.

High

Atypical or unintended information is likely to be received by New Relic, potentially compromising the confidentiality or integrity of your data.

Medium

Atypical or unintended information could be received by New Relic, but the risk of compromise is mitigated by default configuration or standard security practices.

Low

Atypical or unintended information may be received by New Relic, but the vulnerability would be difficult to exploit, or it would have minimal impact.

Report security vulnerabilities to New Relic

New Relic is committed to the security of our customers and your data. If you believe you have found a security vulnerability in one of our products, services, or websites, we welcome and greatly appreciate you reporting it to our coordinated disclosure program. For more information, see our documentation about reporting security vulnerabilities.

Copyright © 2024 New Relic Inc.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.