• /
  • EnglishEspañol日本語한국어Português
  • ログイン今すぐ開始

Security Bulletin NR21-02

Summary

A security update to the Java agent reconfigured the YAML parser to include a SafeConstructor, which removes the ability to have limited user controlled code executed.

Release date: April 26th, 2021

Vulnerability identifier: NR21-02

Priority: Low

Affected software

The following New Relic agent versions are affected:

Name

Affected version

Remediated version

Java agent

< 6.4.2

6.5.0

Vulnerability information

A specified notation, when parsed through an unsafe Yaml.load() call, will create a new Java object and invoke its constructor, potentially leading to code execution. An attacker would have to have access to the agent’s host to edit the newrelic.yml file to include a crafted payload that would execute arbitrary code once the agent starts up.

Mitigating factors

This vulnerability requires an attacker already having access to the host in order to modify the newrelic.yml config file on a victim’s machine, which in itself is a mitigating factor. However, there are additional steps that you can take to either completely patch this issue or harden your systems against it:

  • Update your Java agent to patch this vulnerability
  • Revoke write privileges to your newrelic.yml file

Workarounds

Report security vulnerabilities to New Relic

New Relic is committed to the security of our customers and your data. If you believe you have found a security vulnerability in one of our products or websites, we welcome and greatly appreciate you reporting it to New Relic's coordinated disclosure program. For more information, see our documentation about reporting security vulnerabilities.

Copyright © 2024 New Relic株式会社。

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.