Skip to content

Latest commit

 

History

History
134 lines (98 loc) · 4.96 KB

security-bulletin-nr18-07.mdx

File metadata and controls

134 lines (98 loc) · 4.96 KB
Raw
title tags metaDescription redirects releaseDate
Security Bulletin NR18-07
Security
Security and Privacy
Security bulletins
Security vulnerability update for New Relic Java, Python, and .NET agents.
/docs/using-new-relic/new-relic-security/security-bulletins/security-bulletin-nr18-08
/docs/using-new-relic/new-relic-security/security-bulletins/security-bulletin-nr18-07
2020-12-10

Summary

A security update for the Java, Python, and .NET agents corrects an issue where the agent may report DB query results to New Relic or re-issue an SQL statement.

Release date: Mar 7, 2018

Vulnerability identifier: NR18-07

Priority: High

Affected software [#affected]

The following New Relic agent versions are affected:

  <th>
    <DNT>**Affected version**</DNT>
  </th>

  <th>
    <DNT>**Notes**</DNT>
  </th>

  <th>
    <DNT>**Remediated version**</DNT>
  </th>
</tr>

<tr>
  <td>
    Java agent
  </td>

  <td>
    [3.26.1](/docs/release-notes/agent-release-notes/java-release-notes/java-agent-3261) to [3.47.0](/docs/release-notes/agent-release-notes/java-release-notes/java-agent-3470)
  </td>

  <td>
    SQL query
  </td>

  <td>
    [3.47.1](/docs/release-notes/agent-release-notes/java-release-notes)
  </td>
</tr>

<tr>
  <td>
    Python agent
  </td>

  <td>
    [1.1.0.192](/docs/release-notes/agent-release-notes/python-release-notes/python-agent-110192) to [2.106.0.87](/docs/release-notes/agent-release-notes/python-release-notes/python-agent-2106087)
  </td>

  <td>
    SQL query
  </td>

  <td>
    [2.106.1.88](/docs/release-notes/agent-release-notes/python-release-notes/python-agent-2106188)
  </td>
</tr>

<tr>
  <td>
    .NET agent
  </td>

  <td>
    [2.5.112.0](/docs/release-notes/agent-release-notes/net-release-notes/net-agent-251120) to [6.21.0.0](/docs/release-notes/agent-release-notes/net-release-notes/net-agent-62100)

    [7.0.2.0](/docs/release-notes/agent-release-notes/net-release-notes/net-agent-7020) to [7.1.229](/docs/release-notes/agent-release-notes/net-release-notes/net-agent-712290)
  </td>

  <td>
    SQL query with MySQL
  </td>

  <td>
    [8.0 or 6.22 (For .NET Framework 3.5)](/docs/release-notes/agent-release-notes/python-release-notes)
  </td>
</tr>
**Name**

Vulnerability information [#vuln-info]

New Relic agents run explain plans for Slow Transaction Traces and Slow SQL Queries. Previous versions of the agents would run an explain plan on the SQL query by prepending the query with explain. This may cause an issue when there are multiple statements separated by semicolons in a single query. The first statement in the string returns its explain plan, but any subsequent statement after that may execute as a general SQL statement. Depending on the language, library, and database, the agent may return the results of the additional statements to New Relic. It is also possible that the additional statements could execute an additional INSERT or UPDATE command. With this security update, New Relic agents will no longer run explain plans on any query that contains a semicolon as a statement separator.

Mitigating factors [#factors]

  • Many SQL libraries and language frameworks prevent various forms of executing multiple statements with explain.
  • Explain plans are off for newer versions of the .NET agent.

Workarounds

Disable explain plans with transaction tracer in the agent configuration:

Report security vulnerabilities to New Relic [#report]

New Relic is committed to the security of our customers and their data. If you believe you have found a security vulnerability in one of our products or websites, we welcome and greatly appreciate you reporting it to New Relic's coordinated disclosure program. For more information, see Reporting security vulnerabilities.

For more help [#more_help]

Additional documentation resources include:.