Security Bulletin NR18-07

Summary

A security update for the Java, Python, and .NET agents corrects an issue where the agent may report DB query results to New Relic or re-issue an SQL statement.

Release date: Mar 7, 2018

Vulnerability identifier: NR18-07

Priority: High

Affected software

The following New Relic agent versions are affected:

Name Affected version Notes Remediated version
Java agent 3.26.1 to 3.47.0 SQL query 3.47.1
Python agent 1.1.0.192 to 2.106.0.87 SQL query 2.106.1.88
.NET agent

2.5.112.0 to 6.21.0.0

7.0.2.0 to 7.1.229

SQL query with MySQL 8.0 or 6.22 (For .NET Framework 3.5)

Vulnerability information

New Relic agents run explain plans for Slow Transaction Traces and Slow SQL Queries. Previous versions of the agents would run an explain plan on the SQL query by prepending the query with explain. This may cause an issue when there are multiple statements separated by semicolons in a single query. The first statement in the string returns its explain plan, but any subsequent statement after that may execute as a general SQL statement. Depending on the language, library, and database, the agent may return the results of the additional statements to New Relic. It is also possible that the additional statements could execute an additional INSERT or UPDATE command. With this security update, New Relic agents will no longer run explain plans on any query that contains a semicolon as a statement separator.

Mitigating factors

  • Many SQL libraries and language frameworks prevent various forms of executing multiple statements with explain.

  • Explain plans are off for newer versions of the .NET agent.

Workarounds

Disable explain plans with transaction tracer in the agent configuration:

Report vulnerabilities to New Relic

New Relic is committed to the security of our customers and their data. We believe that engaging with the security community is an important means of achieving our security goals, and we appreciate responsible disclosure of any vulnerabilities by security researchers.

If you believe you have found a security vulnerability in one of our products or websites, we welcome and greatly appreciate you reporting it to New Relic through one of these methods:

For more help

Additional documentation resources include:.

Recommendations for learning more: