A security update for the .NET agent corrects an issue where metric names are not properly identified for SQL queries with parameters that have been manually constructed.
Release date: August 26, 2019
Vulnerability identifier: NR19-05
The following New Relic agent versions are affected:
|Name||Affected version||Notes||Remediated version|
|.NET agent||< 126.96.36.199||188.8.131.52|
When manually constructing SQL queries that execute stored procedures with parameters, a missing space before the first value may cause the agent to incorrectly identify the metric name. This may result in sensitive data being included in metric names.
This vulnerability only affects applications that manually assemble SQL queries with parameters, without using parameterized queries. It’s recommended that applications use parameterized queries to help avoid introducing SQL injection vulnerabilities.
Utilize parameterized queries, this also helps to prevent SQL injection vulnerabilities.
- Update to the latest New Relic .NET agent.
Report vulnerabilities to New Relic
New Relic is committed to the security of our customers and their data. We believe that engaging with the security community is an important means of achieving our security goals, and we appreciate responsible disclosure of any vulnerabilities by security researchers.
If you believe you have found a security vulnerability in one of our products or websites, we welcome and greatly appreciate you reporting it to New Relic through one of these methods: