Fixing Critical Java CVEs in New Relic's Infrastructure Bundle: A Practical Guide

TL;DR

Aniruddha Jawanjal

~3 min read · January 29, 2026 (Updated: January 29, 2026) · Free: No

TL;DR

New Relic's latest infrastructure-bundle:3.3.12 ships with Java 8u452 (April 2025), vulnerable to three critical October 2025 CVEs. We solved it by building a custom image with Java 11, keeping everything else intact. The agent works perfectly.

The Problem: Three Critical CVEs

Our security scanner flagged two vulnerabilities in our New Relic monitoring pods:

CVE-2025–53066 https://nvd.nist.gov/vuln/detail/CVE-2025-53066
CVE-2025–53057 https://nvd.nist.gov/vuln/detail/CVE-2025-53057

All were disclosed in Oracle's October 2025 Critical Patch Update and affect Java SE 8u461 and earlier.

The Investigation

Step 1: Check Our Java Version

$ kubectl exec -n monitoring new-relic-monitoring-nrk8s-kubelet -c agent -- java -version
openjdk version "1.8.0_452"
OpenJDK Runtime Environment (IcedTea 3.35.0) (Alpine 8.452.09-r0)
OpenJDK 64-Bit Server VM (build 25.452-b09, mixed mode)

Problem: Java 8u452 was released April 2025 — three months before the CVE patches.

Required: Java 8u462+ (July 2025) or Java 11.0.29+ (October 2025)

Step 2: Check for Official Fix

# Check latest official image
docker pull docker.io/newrelic/infrastructure-bundle:latest
docker run --rm docker.io/newrelic/infrastructure-bundle:latest java -version

# Still shows: 1.8.0_452 ❌

Even infrastructure-bundle:3.3.12 (released January 28, 2026) still contained the vulnerable Java version.

Root cause: New Relic's Dockerfile uses Alpine's openjdk8-jre package, which hasn't been updated with October 2025 patches yet.

The Solution: Upgrade to Java 11

We decided to upgrade to Java 11 because:

Java 11.0.29 (October 2025) includes all patches
Java 11 is well-supported and stable
Minimal Dockerfile changes needed
Maintains vendor compatibility (just swapping Java)

Dockerfile:

FROM docker.io/newrelic/infrastructure-bundle:3.3.12

# Remove vulnerable Java 8
RUN apk del openjdk8-jre

# Install patched Java 11
RUN apk add --no-cache openjdk11-jre

# Verify it works
RUN java -version
RUN /usr/bin/newrelic-infra --version

Build for the Right Platform

Important: If building on macOS for EKS (linux/amd64), use:

docker buildx build \
  --platform linux/amd64 \
  -t your-registry/infrastructure-bundle:3.3.12-java11 \
  --push \
  .
```

Without `--platform linux/amd64`, you'll get:
```
Error: no match for platform in manifest: not found

Verification: Does It Actually Work?

Check what actually runs:

docker inspect docker.io/newrelic/infrastructure-bundle:3.3.12 | \
  jq '.[0].Config | {Entrypoint, Cmd}'

Once you've built and pushed the image to ECR and used for newrelic infrastructure bundle, you can verify if latest image is using updated java version

#new-relic #aws-eks #cve #kubernetes

Fixing Critical Java CVEs in New Relic's Infrastructure Bundle: A Practical Guide

TL;DR

TL;DR

The Problem: Three Critical CVEs

The Investigation

Step 1: Check Our Java Version

The Solution: Upgrade to Java 11

Build for the Right Platform

Reporting a Problem