Your data. Anywhere you go.

New Relic for iOS or Android


Download on the App Store    Android App on Google play


New Relic Insights App for iOS


Download on the App Store


Learn more

Close icon

Security Update: NR17-03 for Ruby Agent

ruby
security
security-update

#1

A security update for New Relic’s Ruby agent!

The security experts over here at New Relic have a fix for a vulnerability:

The Vulnerability

The Ruby agent could unintentionally capture raw aggregate queries from MongoDB driver with the aggregate pipeline.

Vulnerability Information

New Relic’s Ruby Agent version 3.13.1 added visibility to MongoDB queries with version 2.1 and greater of the MongoDB driver for Ruby. The agent’s default setting for mongo.obfuscate_queries is true. This should cause the agent to obfuscate the values in Mongo queries before sending this information to New Relic. However, when using the aggregate pipeline with this version of the driver, the aggregate queries were not properly obfuscated.

Mitigating factors

  • Only customers who use version 2.1 and greater of the Ruby Driver for MongoDB are affected

  • Aggregate queries generally do not contain sensitive information

Workarounds

Users who are affected and are unable to upgrade may choose to configure the Ruby agent to not capture mongoDB queries. Users can set mongo.capture_queries to false to prevent the agent from sending any information about the query.

For more details see our post in the New Relic docs:

Security Bulletin NR17-03


Report vulnerabilities to New Relic

New Relic is committed to the security of our customers and their data. We believe that engaging with the security community is an important means of achieving our security goals, and we appreciate responsible disclosure of any vulnerabilities by security researchers.

If you believe you have found a security vulnerability in one of our products or websites, we welcome and greatly appreciate you reporting it to New Relic via this community or support ticket.

For more details see our Security Bulletin NR17-03 in the New Relic Docs.