Security Notification CVE-2022-21449

Could you please confirm is New Relic Java agent is affected by CVE-2022-21449 vulnerability (NVD - CVE-2022-21449)? If so, what’s the recommendation steps to follow?

Appreciate your prompt response.

Regards,

Hello @AThyagarajan

Thank you for contacting New Relic about this vulnerability (CVE-2022-21449). Our Security Team is investigating this as their top priority and we will follow up with you as soon as we have more information.

Keeping customer data secure is New Relic’s top priority; we have a well-established security program that includes vulnerability management components that continuously scan and monitor our applications and systems for new vulnerabilities. The vulnerability management program is reviewed annually as part of our SOC2 certification, and we are happy to share our latest SOC2 report as well as further details of our program under NDA.

Dear @AThyagarajan,

New Relic has completed its investigation of CVE-2022-21449 and determined that the New Relic Java agent does not use an affected version of Java SE or employ ECDSA signatures and so is not impacted by this vulnerability. Customers using the New Relic Java agent do not need to take any direct action related to New Relic software for this specific CVE.

To receive security notifications from New Relic in the future, please subscribe to New Relic’s Security notifications community channel or RSS feed and New Relic’s blog.

Keeping customers secure is always our top priority. As a reminder, we recommend our customers adopt secure internet and application practices. For more information, please visit Security and privacy | New Relic Documentation. If you have any questions, please let us know by filing a support case through the In-Product Support experience of the platform by clicking on the Documentation and Support link and selecting “I need more help” or visiting https://support.newrelic.com.