This is a summary of certain security alerts and a statement of whether (and how) they could affect Dynatrace DC RUM components.
- Follow the links for details
- The page will be updated as changes are made to patch our systems as well when new vulnerabilities are detected and become public knowledge.
| Vulnerability | Affected? | Info | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WannaCry | No | While Dynatrace software is not directly affected, nor vulnerable, customers are strongly encouraged to perform their own assessment to the vulnerability of their environments wherever Dynatrace software is installed and take appropriate corrective actions. More information about this attack and ways you can protect yourself from it can be found at Microsoft’s TechNet blog. To download the necessary security patches, go to Microsoft Security Bulletin MS17-010 | ||||||||||||
Oracle Java SE CVE-2017-3512 | Yes | JRE and JDK are exposed to multiple vulnerabilities that affect various components. Oracle's Java Critical Patch Update for April 2017 contains 8 new security fixes across multiple Java SE products and sub-products. Affected Java versions are: Oracle Java JDK and JRE, versions 6u141 and earlier, 7u131 and earlier, 8u121 and earlier . The vendor released updates (Java SE JDK and JRE 8 Update 131, Java SE JDK and JRE 7 Update 141, Java SE JDK and JRE 6 Update 151) to resolve these issues. DC RUM 12.4.x releases use JAVA 1.8 , therefore update to JRE 8 update 131 (or later) is required. AMD impact AMD uses Oracle JAVA 1.8 installed from RHEL repositories and there is no embedded JAVA build in AMD code, therefore to update JAVA 1.8 on AMD use yum update java command to obtain the latest available JAVA 1.8 build from RedHat. CAS, ADS, RUM Console and CSS The server components use embedded JAVA run time environment (JRE). Releases prior 12.4.13 are impacted as they included affected JAVA builds. Refer to JAVA builds and DC RUM releases for detailed build numbers. Solution: Release 12.4.13 contains secure JRE 1.8u131 build therefore you need to upgrade your existing version 12.4.x to release 12.4.13.
| ||||||||||||
Apache Tomcat CVE-2017-5648 | Yes | Security vulnerabilities were reported for Apache Tomcat in versions between 8.5.0 and 8.5.12. Some DC RUM 12.4.x components prior 12.4.13 are affected. AMD uses native Tomcat in RHEL OS.
| ||||||||||||
Apache Struts 2.x | No | Apache has published a security bulletin announcing a vulnerability in Apache Struts 2.x that could allow unauthenticated, remote code execution on the server. Apache Struts is not used in any DC RUM component, including Enterprise Synthetic Monitoring and Dynatrace Network Analyzer. | ||||||||||||
| Sweet32 | Yes | SSL 64-bit Block Size Cipher Suites Supported aka SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32). The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. Impact: Old versions of DC RUM (12.4.10 and earlier) may be affected. Release 12.4.12 comes with enhanced SSL configuration where only secure cipher suites are allowed and use of well known weak cipher suites was disabled, so installing SP12 will address this security vulnerability. Solution: Disable use of 3DES cipher suites. See securing AMD for details. | ||||||||||||
| Heartbleed | No | Heartbleed is a security bug disclosed in April 2014 in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. Heartbleed may be exploited regardless of whether the party using a vulnerable OpenSSL instance for TLS is a server or a client. The offical id for heartbleed is: CVE-2014-0160. This vulnerability was addressed in the 12.2.1, 12.3.0 releases, older releases can be patched. For more information, see OpenSSL Vulnerability also known as Heartbleed Bug.
| ||||||||||||
| Shellshock | No | Shellshock , also known as Bashdoor , is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system. The offical id for Shellshock is: CVE-2014-6271. No DC RUM Component is directly affected by this vulnerability as:
| ||||||||||||
| Poodle | Yes | The POODLE ("Padding Oracle On Downgraded Legacy Encryption") attack is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain clear text data via a padding-Oracle attack such as the POODLE issue. Several components of certain DC RUM releases may be affected. Releases 12.3 and 12.4 are not affected (use of SSLv3 was disabled). Old versions of DC RUM - 12.2.x and earlier - may be affected. Solution: The appropriate solution is to disable use of SSLv3 and use more secure TLS protocol. See POODLE vulnerability in SSLv3 for details.
|