A security update to the Java agent reconfigured the YAML parser to include a SafeConstructor, which removes the ability to have limited user controlled code executed.
A specified notation, when parsed through an unsafe
Yaml.load() call, will create a new Java object and invoke its constructor, potentially leading to code execution. An attacker would have to have access to the agent’s host to edit the
newrelic.yml file to include a crafted payload that would execute arbitrary code once the agent starts up.
This vulnerability requires an attacker already having access to the host in order to modify the
newrelic.yml config file on a victim’s machine, which in itself is a mitigating factor. However, there are additional steps that you can take to either completely patch this issue or harden your systems against it:
- Update to the latest New Relic Java agent. to patch the issue
- Revoke write privileges to your