Security bulletins

This document contains important information regarding security vulnerabilities that could affect some versions of New Relic products. Security bulletins are a way for New Relic to let users know about security vulnerabilities, remediation strategies, and applicable updates for affected software. For more information about New Relic's security measures, see our security and privacy documentation, or visit the New Relic security website.

To receive notifications for future advisories, select New Relic's RSS feed, or watch the topics in New Relic's Security Notifications community channel to receive email alerts.

APM

Security bulletins for New Relic APM agents include a vulnerability rating.

Date Number Security bulletin details Release notes Rating
8/26/2019 NR19-05 Incorrect metric names created with non-parameterized queries may contain sensitive information .NET agent Medium
4/22/2019 NR19-03 Query obfuscation may fail in Microsoft SQL server .NET agent Medium
4/1/2019 NR19-02 Segment attributes may include request parameters in High Security Mode or when using Configurable Security Policies Node.js agent Medium
1/9/2019 NR19-01 OpenRasta instrumentation may capture query strings .NET agent Medium
5/2/2018 NR18-09 The Java agent may capture sensitive data when record_sql set to off Java agent Low
4/12/2018 NR18-08 The agent uses vulnerable https-proxy-agent Node module Node.js agent Low
3/7/2018 NR18-07 The agents may report DB query results to New Relic or re-issue an SQL statement Python, Java, and .NET agents High
3/5/2018 NR18-06 The agent may capture all transaction attributes Node.js agent High
1/22/2018 NR18-04 Error messages are not removed in high security mode .NET agent Medium
1/9/2018 NR18-02 Agent may not obfuscate SQL params with SQLite Python agent Medium
1/9/2018 NR18-01 Agent may capture custom API parameters in High Security Mode Python agent Medium
12/18/2017 NR17-06 Agent captures external HTTP request parameters during a transaction trace .NET agent Medium
5/30/2017 NR17-05 Agent may capture full SQL queries when an exception occurs Java agent High
5/5/2017 NR17-04 Agent captures WCF service request parameters during a TransactionError .NET agent Medium
2/9/2017 NR17-03 MongoDB aggregate queries not obfuscated Ruby agent Low
1/12/2017 NR17-02 Query parameters not removed from referer attribute in error trace .NET agent Medium
1/12/2017 NR17-01 Query parameters not removed from referer attribute in error trace Node.js agent Medium

Infrastructure

Security bulletins for New Relic Infrastructure include a vulnerability rating.

Date Number Security bulletin details Release notes Rating
11/28/18 NR18-12 Windows agent may follow unprivileged hard links or junction folders Infrastructure agent Low
10/8/18 NR18-11 Windows agent may execute privileged binaries in the system path Infrastructure agent Medium
6/18/18 NR18-10 Hard-coded file path allows for user-controlled configuration Infrastructure agent High
2/8/2018 NR18-05 Command line options may be captured Infrastructure agent High

Synthetics

Security bulletins for New Relic Synthetics include a vulnerability rating.

Date Number Security bulletin details Release notes Rating
7/22/2019 NR19-04 Sensitive data may appear in logs Containerized private minions Medium
1/12/2018 NR18-03 Update private minions for Meltdown (CVE-2017-5754) Minions High

Report security vulnerabilities to New Relic

New Relic is committed to the security of our customers and their data. We believe that providing coordinated disclosure by security researchers and engaging with the security community are important means to achieve our security goals.

If you believe you have found a security vulnerability in one of New Relic's products or websites, we welcome and greatly appreciate you reporting it to New Relic through one of these methods:

Security vulnerability ratings

New Relic uses four levels to rate security vulnerability.

Rating Description
Critical A vulnerability in a New Relic product that could be exploited to compromise the confidentiality or integrity of application data.
High Atypical or unintended information is likely to be received by New Relic, potentially compromising the confidentiality or integrity of application data.
Medium Atypical or unintended information could be received by New Relic, but the risk of compromise is mitigated by default configuration or standard security practices.
Low Atypical or unintended information may be received by New Relic, but the vulnerability would be difficult to exploit or have minimal impact.

For more help

Recommendations for learning more: