Stay informed of Dynatrace Application Monitoring and UEM - Security Alerts.

Want to discuss Technical Alerts? Use the App Mon & UEM Open Q&A forum!

Hint: use the "watch this page" feature to receive notifications about updates to this page.

DateAffected versionDescriptionSolution
02/06/2019

2017 May (7.0.0)

2018 April (7.1.0)

Expiry of built-in certificate on March 7th, 2019

The Dynatrace AppMon built-in TLS certificate for versions 7.0 and 7.1 will expire on March 7th, 2019. This certificate is used for TLS communication of AppMon components.

Under the circumstances explained below, the expired certificate can prevent the frontend from connecting to the backend, users including the server admin will therefore be unable to log in. Collectors may be unable to connect to the server.

The following error message will be printed to the frontend and collector log file:

2019-03-09 23:01:11 UTC SEVERE [ImportCertificateStrategy] certificate is expired and

not already accepted for [localhost:2031_client]: NotAfter: Thu Mar 07 11:37:35 CET 2019

The certificate expiry will only affect you in case you are freshly installing a component (server, collector, analysis server) after the expiry date using the original 7.0 or 7.1 GA installers (7.0.0.2469 and 7.1.0.1803). The issue will also prevent new collector instances created after the expiry date from successfully connecting to the server.

Systems that have been interconnected at least once before the expiry date are not affected even after the certificate expires.

Dynatrace 7.2 is not affected.

Dynatrace has updated the downloads page with new GA installers that avoid this issue. The updated GA versions are 7.0.0.2474 and 7.1.0.1902. Please download and use these installers instead.

Customers are advised to use the precautions mentioned in this tech alert to avoid the issue. More details can be found in this KB article. It also contains a fix tool that can help you solve the problem in case it has already occurred.

To obtain further details, please do not hesitate to contact technical support.

 
  1. Install or migrate to Dynatrace AppMon 7.2
  2. Or use updated 7.0/7.1 GA installers found here
  3. Or follow KB article and use fix tool
01/24/2019

7.1.18

7.2.3

Server Memory Leak

A critical defect in public update 7.1.18 and 7.2.3 causes a memory leak in the backend server process and missing data in the WebUI user analytics screen.


Affected Customers

All customers using UEM with an AppMon server on version 7.1.18 or 7.2.3 are affected to some extent. The severity depends mainly on the:

  • Number of System Profiles
  • Number of Applications

The amount of memory used by the leak will grow faster with a higher number of System Profiles or Applications. The time it takes to see an impact by this leak varies between several hours and several weeks.

Cause

Visit based PureLytics data is not flushed to the database correctly, but kept in memory until the process gets restarted.

Impact

  • Backend Server: "Early Discarded PurePaths" and unexpected server restarts.
    Memory usage increases over time: This causes "Early Discarded PurePaths", so PurePaths that don't get processed by the server. After reducing the amount of processed PurePaths to near 0, the Server will automatically restart.

  • WebUI: Empty WebUI screens
    "User Analytics" and "World Map" screens in the WebUI will remain empty.

 

We highly recommend to upgrade to version 7.1.20 / 7.2.5 or higher.

7.1: Install update 7.1.20 or higher

7.2: Install update 7.2.5 or higher

11/29/2018

6.5.x

7.0.x

7.1.x

7.2.x

Java 11 and AppMon agent

At the time of releasing this alert, Dynatrace AppMon does not officially support Java 11 (18.9 LTS) or later. Nevertheless, it is already possible to inject an AppMon agent into a JVM with version 11.

A recent build of OpenJDK 11 by default enables the optional class data sharing feature, which can lead to crashes under certain circumstances when an AppMon agent with enabled instrumentation is injected. To avoid crashes, please explicitly turn off the class data sharing feature for Java 11 VMs by adding the following VM argument: -Xshare:off .

The problematic behavior of the JVM has already been corrected in the upcoming Java 12 (19.3) and a backport to Java 11 is planned. Adding the explicit VM argument ensures the same corrected behavior for all Java 11 versions with and without the backport. For more detailed information please see the official OpenJDK ticket: https://bugs.openjdk.java.net/browse/JDK-8212200.

Any JVM implementation based on OpenJDK 11 is potentially affected. This includes Oracle JRE/JDK, Azul Zing and Open J9. Installations with classic Java agents are not affected since classic agents automatically disable instrumentation for JVM versions greater than 8.

Turning off class data sharing feature by adding Java argument
-Xshare:off
03/29/2018NONE

TEST notification for EAP customers

This is a test entry for the AppMon in-client TechAlert notification for current 2018 April (7.1) EAP customers.

Please ignore this notification and confirm it in the client.

 NONE
02/08/2018

6.3.x

6.5.x

7.0.x

7.1.x

Critical update for IIS agent

A critical security fix has been made available in the recent AppMon updates 6.3.32, 6.5.34, 7.0.17, 7.1.0.1688 (EAP11). It addresses an issue wherein specifically crafted input can be passed on through the AppMon agent to an API of the IIS that does not validate the input correctly.

The immediate installation of this update is recommended on all systems running an IIS web server that is instrumented with an AppMon agent.

The AppMon release notes will refer to the fix as JLT-210225.

To obtain further details, please do not hesitate to contact technical support.

Install
  • 6.3.32 (or later)
  • 6.5.34 (or later)
  • 7.0.17 (or later)
  • 7.1.0.1688 (or later)
01/18/2018Mobile ADK for Android < 7.0.15

Critical update for Android mobile ADK

The Android API 14, 15 & 16 (Android 4.0 – 4.1) do not properly restrict the WebView.addJavascriptInterface method. This allows remote attackers to execute arbitrary methods of Java objects by using the Java Reflection API within a specifically crafted JavaScript code that is loaded into the WebView component. Built-in WebView code creates at least one built-in JavaScript Interface in every implemented WebView. This means that every application that loads WebView content from a website is vulnerable to this attack. See CVE-2012-6636 for more details.

The impact of the mobile ADK is as follows: if you explicitly took care of that vulnerability by removing all native interfaces from the WebView, the Android agent opens up the pre-existing vulnerability again, since it also registers a JavaScript interface.

In version 7.0.15, this was addressed by no longer registering the native interface in environments that are running on API level 14/15/16.

We advise all customers to update and rebuild their apps with Android agent (UEM mobile ADK) 7.0.15 or later if your app supports API level 14-16. The flag DTXForceJSBridge=true can be used to revert to the old behavior if desired.

The update can be obtained from our downloads page.

If you have further questions, do not hesitate to contact technical support.

Recompile your Android app with the latest Android agent version (7.0.15 or later).

Distribute the new app to your customers.

10/18/2017

6.3.x

6.5.x

7.0.x

Latest AppMon updates contain critical compatibility enhancements for .NET Framework 4.7.1

Microsoft has recently released .NET Framework 4.7.1. For details, refer to https://blogs.msdn.microsoft.com/dotnet/2017/10/17/announcing-the-net-framework-4-7-1/

Dynatrace AppMon users are strongly advised to install the following updates to avoid compatibility issues with this latest version of the .NET Framework:

  • 6.3.31 (or later)
  • 6.5.27 (or later)
  • 7.0.9 (or later)

The agent may crash or run uninstrumented unless these updates are installed.

For further questions, do not hesitate to contact technical support.

Install
  • 6.3.31 (or later)
  • 6.5.27 (or later)
  • 7.0.9 (or later)
07/25/2017

all

Java 8 u141

Java 7 u151

Java 6 u161

Recent Java updates introduce breaking change that requires Dynatrace AppMon update to be installed

JDK updates released by Oracle last week (Java 8u141, Java 7u151, Java 6u161) contain a code change in JDK RMI classes known as JDK-8180582. Dynatrace compatibility testing has revealed that these changes in the JDK conflict with Dynatrace AppMon instrumentation and require a Dynatrace AppMon update to restore compatibility.

The incompatibility will cause applications that communicate via RMI to malfunction. The following exception is observed on the server side of RMI communication (e.g. in an application server log file):

Caused by: java.rmi.UnmarshalException: error unmarshalling arguments; nested exception is:
java.io.OptionalDataException
at sun.rmi.registry.RegistryImpl_Skel.dispatch(RegistryImpl_Skel.java:137)
at sun.rmi.server.UnicastServerRef.oldDispatch(UnicastServerRef.java:468)
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:300)

The issue occurs when the following conditions are met:

  • Dynatrace AppMon versions lower than 6.3.30, lower than 6.5.22, lower than 7.0.4
  • JDK version 1.6u161, 1.7u151, 1.8u141
  • Application uses RMI and RMI sensor is placed

Dynatrace is working with high priority on compatibility enhancements that are expected to be included in upcoming regular updates for Dynatrace AppMon for all supported versions (6.3, 6.5, 7.0).
The enhancement will show up in the release notes as JLT-194623.

Customers are advised to await these Dynatrace AppMon compatibility updates before upgrading the JVM to versions 1.8u141, 1.7u151, 1.6u161.

If you are already experiencing the issue, a downgrade of the JVM will restore proper operation.
Alternatively, the RMI sensor can be unplaced as a workaround.

For further questions, do not hesitate to contact technical support.

This technical alert is specific to the AppMon product. Please note that this issue also affects Dynatrace Saas/Managed. Please refer to the following page in case you are using Dynatrace SaaS/Managed.

  1. Postpone JDK update until Dynatrace AppMon updates are available (7.0.4, 6.3.30, 6.5.22)
  2. OR unplace RMI sensor

06/26/2017
  • 6.5.18.1011
  • 6.5.19.1006
  • 6.5.19.1004
  • 6.5.18.1009

The .NET agent in public update 6.5.18 can cause the monitored application to malfunction

A critical defect in public update 6.5.18 can cause severe impact on the monitored application. The application may crash and print the following error message:

Common Language Runtime detected an invalid program.

For additional technical details, please refer to the 6.5.18 release notes. The issue is referred to as JLT-192329.

The 6.5.18 public update has been withdrawn from the downloads page. Customers with .NET applications are advised to skip this update if it has been already downloaded. The issue is fixed in the public update 6.5.19. If you are running a .NET agent, we recommend to skip 6.5.17 and install 6.5.19. Note that you can roll back 6.5.18 using the update mechanism.

 A temporary workaround to address the issue is to unplace the ADO.NET sensor.

In addition to the public update 6.5.18.1011, the following private updates are affected:

  • 6.5.19.1006
  • 6.5.19.1004
  • 6.5.18.1009

For further questions, do not hesitate to contact technical support.

 

  1. Skip public update 6.5.18
  2. OR unplace the ADO.NET sensor (workaround)
04/27/2017all <= 7.0

Webservers with AppMon Agent vulnerable due to incomplete input validation caused by defect JLT-173792

A forged request allows to add arbitrary response headers sent to the same client from which the request originated. The cookie is not stored, this response is never sent to other users. This vulnerability is an attack vector for further attacks such as Cross-User Defacement, Cross-Site Scripting, Page Hijacking if the attacker wants to attack the client which sends the request. 
Also this vulnerability may be used for a Cache Poisoning attack where the attacker sends the request directly which may impact the other users of the same cache (i.e. proxy).

The issue is due to incomplete validation of input data. Subsequently the agent copies the value of the dtCookie request parameter into the Set-Cookie response header, enabling the attack vectors mentioned above.

The issue is fixed by stricter validation of input data. The fix is included in the following updates: 6.2.25, 6.3.24, 6.5.14, 7.0 EAP10

Dynatrace recommends to update all critical systems to these or later updates to mitigate the security risk caused by this issue. Find these public updates at the following page: https://downloads.dynatrace.com/downloads/download.aspx?p=DT

The internal tracking number of this issue is JLT-173792.

References:

https://www.owasp.org/index.php/HTTP_Response_Splitting

For further questions, do not hesitate to contact technical support.

AppMon>= 6.2: Install latest public update and update agents

AppMon < 6.2: Upgrade to >= 6.2, install latest public update and update agent

03/11/20166.3.0

Java agent 6.3.0 can cause high memory usage on JDK 8

We have received reports of increased memory usage of the JVM process after updating the Java agent to version 6.3.0. Native memory usage can rise by a substantial amount and eventually affect the application. Occurrences so far are very sporadic. Through further analysis, the issue has been narrowed down to be specific to Java 8 and related to the way the JVM handles injection of dynamic classes.

The root cause is an issue in the JVM. The agent happens to trigger or amplify this JVM issue. Dynatrace has reported this bug to the JVM provider, who has acknowledged it. Refer to JDK-8152271 for details.

The 6.3.1 public update as well as later updates contain a code change that works around this JVM issue.

A temporary workaround that avoids the issue can be implemented as follows:

  • On the collector that the Java agents connects to, edit dtcollector.ini

  • Add the line -Dcom.dynatrace.diagnostics.core.instrumentation.enableJava8Transformations=false

  • Restart the collector

  • Restart the agent

  • This workaround can and should be removed as soon as update 6.3.1 has been installed

If you are using a Java agent to monitor applications on JDK 8, in order to avoid experiencing the issue, we recommend to implement the workaround proactively or to install the 6.3.1 update or later updates.

The internal tracking number of this issue is JLT-145158.

For further questions, do not hesitate to contact technical support.

  1. Implement workaround
  2. OR install 6.3.1 or later updates

11/04/20156.2.x

Windows agent installer 6.2.0.1300 released

We have released updated agent installers for the Windows platform. The update is available on the downloads page as "All Agents for Windows": dynatrace-agent-6.2.0.1300.msi.

The update fixes the following issues in the Windows bootstrap agent.

JLT-134659 - if multiple agents start concurrently some of them may start non-instrumented

The above issue can be observed intermittently if multiple agents are launched at the same time. This is particularly common when the IIS web server is restarted and multiple application pools containing an agent each get bounced.

The bootstrap agent log would contain the following error message:

severe [native] Caught exception at src\technology\dotnet\COMServerBootstrap.cpp:141 - 
Access is denied.

JLT-129621 - the DT_DISABLEINITIALLOGGING debug flag does not work in 6.2

This debug flag is used to suppress agent output in scenarios when the console output of the monitored application must not be changed under any circumstances. The update ensures the debug flag works properly in 6.2 bootstrap agents.

Note: the full installers for the Windows platform do not contain this update. Please use the separate agent installer dynatrace-agent-6.2.0.1300.msi to get the  6.2.0.1300 bootstrap agent.

1. Uninstall 6.2.0.1239 Windows agent, download and install 6.2.0.1300 Windows agent

09/07/20156.2.0.x

Java applications may fail to start due to defect JLT-128557

The defect JLT-128557 "Sensor packs partially deleted from Server directory by Selfmon Collector on UNIX based systems" that was present in Dynatrace 6.2.0 and has already been fixed in the public update 6.2.1.1027 can cause Java applications to fail to initialize properly. The Java application may abort the startup process or hang during startup. The following error message is printed in the application log:

java.lang.NoSuchFieldError: dt_initialized

Due to the risk of a severe impact, customers are advised to install the public update 6.2.1.1027 as soon as possible. This update will avoid the issue. The fix is also included in future public updates.

Note: the update will avoid the issue but will not undo the damage caused by the issue once it has occurred already. In such a case, you may find built-in sensor packs missing from DT_HOME/server/conf/sensors/plugins. They must be restored manually. Please restore them from a fresh installation or contact support to get assistance doing this.

1. Install 6.2.1.1027 or later builds

2. OR contact technical support

08/21/2015Android mobile ADK < 6.0.0.7132

No UEM data from Dynatrace 6.0 Android mobile ADK agent after upgrading to Dynatrace 6.1 or 6.2

Customers migrating from Dynatrace 6.0 to Dynatrace 6.1 or 6.2 may experience an issue wherein  Android mobile ADK agents (version lower than 6.0.0.7132) are no longer capturing UEM data. This issue is due to changes in the communication protocol between the Android mobile ADK agent and the web server agent or Java agent. Dynatrace is aware of this issue and is working with affected customers on a solution.

You are affected under the following conditions:

  • Android mobile ADK version lower than 6.0.0.7132 (downloaded before Feb 16th 2015)
  • AND Dynatrace web server or Java agent 6.1 or 6.2 

You are not affected:

  • If you are using the latest Android 6.0 mobile ADK (6.0.0.7132)
  • If you are using a Dynatrace 6.0 web server or Java agent to receive UEM data from the Android mobile ADK
  • Mobile ADKs for iOS are not affected

Affected customers are advised to update their mobile applications to the latest Android mobile ADK agent (6.0.0.7132, 6.1.x, 6.2.x). Should that not be possible, please contact technical support for alternative solutions. 

Note: this technical alert will remain valid if you migrate from 6.0 to 6.1.x or 6.2.x at a later time.

  1. Upgrade Android mobile ADK to 6.0.0.7132 or 6.1.x/6.2.x
  2. OR contact technical support
07/07/2015

6.2.0.1238 and below

Early custom updates (6.2.0.3002-3022, 6.2.0.3025)

 

Performance warehouse data may be missing from charts after migrating to Dynatrace 6.2 from 6.0 or lower

A severe issue was discovered in Dynatrace 6.2 that can lead to inaccessibility of historical data in the performance warehouse when migrating from earlier releases except 6.1. The issue can be resolved by following the steps in this tech alert. The root-cause is a defect in the database migration code for schema migrations from  6.0 and lower to 6.2. Affected customers are advised to take the recommended actions immediately.

Symptom: Charts remain empty or show partial data only

You are affected if:

  • You are using Dynatrace 6.2 
  • AND you perform a migration from Dynatrace 6.0 and lower

 You are not affected if:

  • You have installed Dynatrace 6.2 from scratch (no migration)
  • OR if you migrate from Dynatrace 6.1

Customers that are planning a migration from 6.0 and lower to 6.2 should download build 6.2.0.1239 from the Downloads page. This updated release prevents the issue for future migrations but will not correct it if you have migrated already.

Affected customers that have already upgraded to version 6.2 from 6.0 and lower, please contact technical support to obtain instructions how to correct the issue.

Customers who migrate from version 6.1 to 6.2 do not need to take any action about this issue.

Customers who install 6.2 from scratch do not need to take any action about this issue.

 

  1. If you have already migrated to 6.2 from 6.0 and earlier and experience the issue, contact support
  2. If you are about to migrate to 6.2 from 6.0 and earlier, download and use 6.2.0.1239 instead of 6.2.0.1238
05/26/2015all

Linux leap second bug may affect Dynatrace

In many environments, a leap second insertion will happen on June 30th 2015 at 23:59:60 UTC. Due to a bug in older Linux kernels, Java applications may stop working properly under certain circumstances.

Our internal tests have shown that this Linux kernel issue can also affect Dynatrace when running on a Linux kernel 3.3 or lower.

Systems running an OS other than Linux are not affected. Linux kernels 3.4 and higher are not affected.

Please note: if the system locks up or shows other malfunction due to the issue, a reboot of the machine will restore normal operation. An application restart is not sufficient.


Further reading:

https://access.redhat.com/articles/15145

http://www.datastax.com/dev/blog/preparing-for-the-leap-second
  1. Check if you are affected and upgrade Linux kernel to version 3.4 or higher; contact OS vendor for backport of fix
  2. If the issue has already occurred, reboot the machine to restore normal operation
05/19/2015

6.1

 

Dynatrace 6.1 public fixpack 3 (6.1.0.8154) released

The fixpack addresses the following issues:

  • JLT-123658: Potential instrumented application or agent crash on Windows with certain network interface names
  • As well as ~150 issues in areas like: Agents, UEM, Client, Server, Collector, PHP, WebUI and more.

All changes from previous public fixpacks for 6.1 are included.

We recommend to install the fixpack in the following cases:

  • proactively, in case you are setting up a new Dynatrace environment
  • if you experience an issue in the mentioned areas
  • if an issue you experience matches the description of the fixes contained in the fixpack

The fixpack can be downloaded from: Compuware APM downloads.
Please check the included release notes for details.

  1. Download the fixpack
  2. Install the DTF file in Settings -> Server -> FixPacks
  3. Follow instructions
  4. Agent-side fixes will take effect after an agent restart
03/24/2015

6.1

 

Dynatrace 6.1 public fixpack 2 (6.1.0.8105) released

The fixpack addresses the following issues:

  • 93 fixes in areas like UEM, Client, Server, Collector, PHP, WebUI, Webserver Agent, .NET Agents and others,
  • TechAlert from 03/02/2015 regarding Automatic server restarts,
  • TechAlert from 03/02/2015 regarding Test Connection, Error: Unknown proxy type: HTTP

We recommend to install the fixpack in the following cases:

  • proactively, in case you are setting up a new Dynatrace environment
  • if you experience an issue in the mentioned areas
  • if an issue you experience matches the description of the fixes contained in the fixpack

The fixpack can be downloaded from: Compuware APM downloads.
Please check the included release notes for prerequisites and details.

  1. Download the fixpack
  2. Install the DTF file in Settings -> Server -> FixPacks
  3. Follow instructions
  4. Agent-side fixes will take effect after an agent restart
03/02/20156.1

Automatic server restarts

We have received reports of Dynatrace server restarts caused by the watchdog. We have analyzed this issue and identified the root cause to be a regular expression evaluating a specifically crafted user-agent string. The issue occurs whenever such a user-agent string is captured by Dynatrace on a monitored system such as a web server or application server.

A sure symptom of this problem is the log message:

"RealTimePathAnalysisWorkerThread-*" Id=* RUNNABLE
	at java.util.regex.Pattern$Curly.match0(Pattern.java:4170)
	at java.util.regex.Pattern$Curly.match(Pattern.java:4132)
	at java.util.regex.Pattern$BmpCharProperty.match(Pattern.java:3715)

in the server logfile. The thread-name and id can vary.

This issue will be addressed in the next public fixpack.

If you are affected by this problem and see the above error message, please open a support case referencing this TechAlert.

  • Install upcoming public fixpack
  • OR Contact support to receive a workaround
03/02/20156.1

The operation „test connection“ in the client fails with the error message “Unknown proxy type: HTTP"

We have identified an issue in Dynatrace 6.1 (including the public fixpack released on Feb 17th, 2015) that causes the “test connection” operation in the dynatrace client to fail. The connection test will be unsuccessful and the client reports the following exception in an error dialog: “SocketException: Unknown proxy type: HTTP”. The issue only affects the connection test, not the actual connection that can be done independently of the optional connection test. The root cause of the issue is incorrect handling of HTTP proxies that are configured in the customer environment.

A fix for this issue is planned for the next public fixpack. As a workaround, we suggest to connect the client to the server without a connection test.

  • Connect to the server without connection test
  • OR contact support to receive a fix
  • OR change computer’s network configuration and remove any HTTP proxies
02/17/20155.6 6.1

Dynatrace web server agent may cause Apache worker processes on Unix-like operating systems to become unresponsive

Due to a defect in the Dynatrace web server agent, worker processes started by the Apache web server may become unresponsive. The root cause has been identified as an issue with holding a mutex while forking a worker process (6.0) and handling of Unix signals in worker processes (6.1). Due to this, worker processes will not start up or recycle correctly when requested to do so in the respective versions.

The issue affects Apache web servers and derived products like IHS and OHS on Unix-like operating systems such as AIX and Linux. The probability of the issue during normal operation is low, however the issue is more likely during manual or scheduled restarts of Apache or in situations of very high load and frequent restarts of worker processes, e.g. if the Apache web server is configured with a non-zero MaxRequestsPerChild parameter that causes the worker processes to recycle frequently.

The issue affects Dynatrace 5.6, 6.0, and 6.1. A fix for Dynatrace 5.6 is available on demand. A fix for dynatrace 6.0 is not planned. A fix for dynatrace 6.1 is publicly available (build 8054 = public fixpack 1).

Recommendation: Migrate to Dynatrace 6.1 and install Dynatrace 6.1 public fixpack (build 8054)

Internal bug tracker IDs: JLT-102250, JLT-113611

Please contact support for detailed information.

Migration to 6.1 and installation of 6.1.0.8054.

If migration from 5.6 is not possible, request a fixpack from support.

02/17/2015

6.1.0.xxxx

 

Dynatrace 6.1 public fixpack 1 (6.1.0.8054) released

The fixpack addresses the following issues:

  • 44 fixes in areas like Webserver Agent, UEM, Client, PHP, WebUI, .NET Agents and others

We recommend to install the fixpack in the following cases:

  • proactively, in case you are setting up a new Dynatrace environment
  • if you experience an issue in the mentioned areas
  • if an issue you experience matches the description of the fixes contained in the fixpack

The fixpack can be downloaded from: Compuware APM downloads.
Please check the included release notes for prerequisites and details.

  1. Download the fixpack
  2. Install the DTF file in Settings -> Server -> FixPacks
  3. Follow instructions
  4. Agent-side fixes will take effect after an agent restart
02/11/2015

6.0.0.xxxx

 

Dynatrace 6.0 public fixpack 2 (6.0.0.7153) released

The fixpack addresses the following issues:

  • POODLE security vulnerability (solves TechAlert from 10/23/2014)
  • Webstart Client issues with Java 7u71, 7u72 and 8u25
  • UEM Licensing renewal not persisted (solves TechAlert from 12/17/2014)
  • 50 fixes in areas like UEM, Client, Host Monitoring, Java, .NET agents and others

We recommend to install the fixpack in the following cases:

  • proactively, in case you are setting up a new Dynatrace environment
  • if you experience an issue in the mentioned areas
  • if an issue you experience matches the description of the fixes contained in the fixpack

The fixpack can be downloaded from: Compuware APM downloads.
Please check the included release notes for prerequisites and details.

  1. Download the fixpack
  2. Install the DTF file in the "Plugins & FixPacks" dialog in "Server -> Settings"
  3. Restart the server and all collectors
  4. Agent-side fixes will take effect after an agent restart
01/27/2015

5.6.0.xxxx

 

Dynatrace 5.6 public fixpack 2 (5.6.0.6203) released

The fixpack addresses the following issues:

  • POODLE security vulnerability (solves TechAlert from 10/23/2014)
  • Webstart Client issues with Java 7u71, 7u72 and 8u25
  • UEM Licensing renewal not persisted (solves TechAlert from 12/17/2014)
  • 80 fixes in areas like UEM, Client, Webserver, Java, .NET agents and others

We recommend to install the fixpack in the following cases:

  • proactively, in case you are setting up a new Dynatrace environment
  • if you experience an issue in the mentioned areas
  • if an issue you experience matches the description of the fixes contained in the fixpack

The fixpack can be downloaded from: Compuware APM downloads.
Please check the included release notes for prerequisites and details.

  1. Download the fixpack
  2. Install the DTF file in the "Plugins & FixPacks" dialog in "Server -> Settings"
  3. Restart the server and all collectors
  4. Agent-side fixes will take effect after an agent restart
12/17/20144.2 – 6.1 built on or after June 16th, 2014

UEM volume is not renewed on the renewal date

Dynatrace has found a bug where the perpetual UEM volume is not renewed on the renewal date. Affected are potentially all versions (EAP, GA and fixpacks) of dynaTrace 4.2 - 6.1 that have been built on or after June, 16th 2014*.

The result of this problem, running out of UEM volume can – depending on the surplus of annual volume – show up earlier or later and users should get notified by a related server incident. If the volume is already at zero, a grace of 1/12th of the full perpetual amount is added (one month).
There is also a short time window of up to 1 hour where the correctly renewed volume is shown - so if the renewal happened at the moment of checking the "License" dialog, please additionally verify after 1 hour.

In case the renewal date has already been passed with an affected server running at that time, please verify the "License" dialog in the dynaTrace server settings and then contact dynaTrace licensing for a voucher replacement.

Additionally a fix for the next renewal occurrence is needed:

  • For the upcoming 5.6 and 6.0 “public fixpack 2” builds and for 6.1 "public fixpack 1" will contain fixes for the issue.
  •   If you are running any private fixpack for 4.2 to 6.1 built on or after the mentioned date*, please also contact dynaTrace support   to determine if the build is
    1. either affected,
    2. a newer public fixpack can be used without losing fixes, or
    3. if a new fixpack needs to be built.

*check the server log, eg.

+------------------------------------------------------------------------
+ dynaTrace Server Copyright (C) 2004-2014 Compuware Corporation
+------------------------------------------------------------------------
+  Version 6.1.0.7880  built Wed Nov 26 15:15:06 CET 2014
...
  • Fixpack installation
  • If the renewal date has already been passed with affected build, additionally a voucher replacement is needed

10/23/2014any

Dynatrace statement about SSLv3 vulnerability CVE-2014-3566 ("POODLE")

Dynatrace has analyzed the reported vulnerability CVE-2014-3566 ("POODLE SSLv3") and has evaluated its impact on the dynaTrace Application Monitoring Suite.

Dynatrace Application Monitoring components use an up-to-date version of the SSL protocol, but unfortunately the SSL specification and protocol allows for a "downgrade" of the protocol to older versions in order to allow older communication peers to still connect.

The reported vulnerability allows a malicious user to force such a downgrade and afterwards potentially decrypt the SSL encrypted communication if he can intercept and alter the data that is sent over the network (man-in-the-middle) between two processes which are communicating via a secure channel.

The dynaTrace components are using SSL for encrypted communication in the following cases:

  • SSL encrypted communication between dynaTrace Collector and dynaTrace Server
  • SSL encrypted communication between dynaTrace Client and dynaTrace Server
  • HTTPS communication for REST interfaces and the REST Website provided by the dynaTrace Server

As the dynaTrace Server is usually only deployed in internal networks where it is unlikely that such an attack is performed, we do not see high risk in this type of attack in such cases.

If you deployed components of dynaTrace reachable on the Internet, i.e. by sending traffic from agents via a dynaTrace Collector over the public Internet, there is a chance that you are affected. In urgent cases, please contact dynaTrace support to request a fixpack which disables the SSLv3 protocol. The fixpack will be available as a public fixpack at a later time.

More information about the vulnerability is available at https://www.openssl.org/~bodo/ssl-poodle.pdf and http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566

1. Request and install fixpack (optional)
10/02/20146.0.0.x

dynaTrace 6.0 public fixpack 6.0.0.7000 released

This is an informational entry to inform customers who are watching this page about the release of the dynaTrace 6.0 public fixpack build 7000.

The fixpack addresses several issues in the following areas: Server, Frontend server, Client, UEM, in total more than 25 improvements. The full list of fixes and instructions can be found in the text-file included in the download.

We recommend to install the fixpack in the following cases:

  • proactively, in case you are setting up a new dynaTrace environment
  • if you experience an issue related to the Server, Frontend server, Client or UEM
  • if an issue you experience matches the description of the fixes contained in the fixpack

If your installation is running build version higher than 7000, than you already have all its fixes installed and can ignore this update.

This fixpack does not fix the issue regarding incorrect memory settings as posted here on 08/06/2014.

The fixpack can be downloaded from: Compuware APM downloads

  1. Download the fixpack
  2. In the dynaTrace client, install the DTF file in the "Plugins & FixPacks" dialog in "Server -> Settings"
  3. Follow instructions
08/11/2014any

Java 7 updates 65 and 67 cause rendering issues in the dynaTrace Webstart client on Windows

After upgrading to Java 7 update 65 or 67, UI controls in the dynaTrace client appear broken. This includes missing text on buttons, tree controls that aren't drawn properly, and generally a different look and feel of the application. The issue affects SWT applications that are launched via Webstart on Windows, including the dynaTrace Webstart client.

The problem is caused by a change that was introduced in Oracle Java 7 updates 65 and 67. Further information about this issue can be found at the following locations:

https://community.oracle.com/thread/3587933

https://bugs.eclipse.org/bugs/show_bug.cgi?id=439759

The standalone dynaTrace client is not affected since it does not use the Webstart launcher.

As a workaround, we recommend to not upgrade to Java 7 update 65 or 67 until a fix is available. Such a fix cannot be provided by Compuware.

We will update this tech alert as soon as an official fix is available for the Java Runtime Environment.

Update Aug 18:

Oracle has informed us that the Webstart client issue that causes this problem will be fixed in Java 7 Update 71 and Java 8 Update 25 (to be released in October 2014).

It is also possible to work around the issue by setting the Java property "deployment.security.use.insecure.launcher=true" in the deployment.properties file. Please refer to this page for a description of how to set properties.

Update Oct 23:

Java 7 update 71 and Java 8 update 25 have been released. They fix the Webstart GUI issue but introduce a new issue that prevent the Webstart client from starting. We do not recommend to update to Java 7 update 71 or Java 8 update 25 at this time.

Please contact dynaTrace support if you have questions regarding this issue.

1. Use the dynaTrace standalone client or portable client

2. OR roll back to Java 7 update 60 or lower

3. OR upgrade to Java 7 update 71 or Java 8 update 25 

4. OR set property as described in the description

08/06/20146.0.0.6733

dynaTrace 6.0 may operate with incorrect memory settings

Due to an issue in the dynaTrace 6.0 launcher, the server and frontend server Java processes may be launched with an incorrect heap size. In these cases, the launcher will not pass the proper JVM heap size to the Java server and frontend server processes – instead, the JVM will choose default values. Typically, the JVM will choose 25% of available system RAM as the default heap size which is unlikely to match the desired heap size for the server and frontend server processes and could lead to undefined behavior of these dynaTrace processes.

If you have downloaded dynaTrace 6.0 before Aug 6th 2014 (build number 6.0.0.6733), you are affected by the issue. Please re-download dynaTrace 6.0 from the downloads page. We have updated the installers to version 6.0.0.6738 that contains a fix for this issue.

If you have already installed dynaTrace 6.0 and prefer not to re-install with the new installer, please download and replace the launcher binaries that are available as a separate download.

The issue can also be worked around by adding the following dummy options to the files dtserver.ini and dtfrontendserver.ini:
-Xmx
-Xms

To achieve the workaround effect, it is not required to add any value after the Xmx and Xms options. This workaround is only recommended as a temporary solution in emergencies.

Generally, please note that as of dynaTrace 6.0, the memory settings Xmx and Xms are not evaluated when present in the ini files. Memory configuration has been changed to a set of pre-defined types (demo, small, medium, large, xlarge) that can be enabled using the “-memory” parameter in the dtserver.ini and dtfrontendserver.ini files. The usage of this parameter is described on the page Sizing Settings - they can be set using the dynaTrace client.

Please contact dynaTrace support if you have questions regarding this issue.

  1. Re-download and install dynaTrace 6.0 build 6738
  2. OR download updated launcher binaries from this page and replace these files manually
  3. OR use workaround as described in this tech alert (not recommended, only use as temporary solution)
04/18/2014

5.6.0.xxxx

 

dynaTrace 5.6 public fixpack released

This is an informational entry to inform customers who are watching this page about the release of the dynaTrace 5.6 public fixpack build 5924.

The fixpack addresses several issues in the following areas: PHP, UEM, licensing, more than 10 miscellaneous improvements. The full list of fixes can be found in the txt file included in the download.

We recommend to install the fixpack in the following cases:

  • proactively, in case you are setting up a new dynaTrace environment
  • if you experience an issue related to PHP, UEM, licensing
  • if an issue you experience matches the description of the fixes contained in the fixpack

The fixpack can be downloaded from: Compuware APM downloads

  1. Download the fixpack
  2. Install the DTF file in the "Plugins & FixPacks" dialog in "Server -> Settings"
  3. Restart the server and all collectors
  4. Agent-side fixes will take effect after an agent restart
01/28/20145.6.0.57xx

dynaTrace Agents (all technologies) can fail to reconnect after upgrading from dynaTrace 4.x or 5.x to dynaTrace 5.6.0.57xx; no data is captured.

Details:

Your application or application servers are not affected in any negative way. Not all dynaTrace installations are affected as the root-cause of this issue is related to a specific System Profile setting.

You are not affected, if you do not find the String WebRequestProperty(non-case-sensitive search) in the files stored in /DTHOME/server/conf/profiles/.
In case the dynaTrace Server is installed on Linux, you can simply check this by executing the following command:
> grep -iHr 'WebRequestProperty' '/DTHOME/server/conf/profiles/'


Symptom:

After upgrading the dynaTrace Server and Collector to 5.6.0.57xx, previously connected dynaTrace Agents (i.e. 4.2.0.3154/5.0.0.3772/5.5.0.5226) consistently fail to reconnect.
The dynaTrace Client does not list the affected Agents in the Agent Overview as well.

The dynaTrace Collector 5.6 log file repeatedly shows “Reading of SensorProperty of type WebRequestProperty not supported!”  (see dynaTrace 5.6 Documentation for further information how to find the Collector logs)

1. Restart your applications or application servers once.

2. Use latest dynaTrace  Installer 5.6.0.5802 which is available on the product downloads.

3. Or contact support

12/11/2013any

dynaTrace Webstart Client does not work with Java 6 update 65.

Details:

This version of Java 6 has not been released publicly - the latest public update is Java 6 update 45 which is not affected. The Critical Patch Update - October 2013 introduced new security requirements. All resources of a Java Web Start application and its JNLP file have to be signed. If they are not signed with the same certificate, application properties are not applied by Java Web Start. Without these properties the dynaTrace Client doesn’t work.

In case of a re-distributed Java Web Start application, the content of the JNLP file depends on the customer deployment and application arguments. For this purpose Java 7 supports signed JNLP templates, a feature which is not available with Java 6 update 65. Due to the missing support for JNLP templates in Java 6 update 65, the dynaTrace Webstart Client is incompatible with this private Java update.

Symptoms:

  • dynaTrace Webstart Client 5.5, 5.0 or lower doesn’t start
  • Dashboards cannot be opened with Webstart Client of dynaTrace 5.5 having FixPack 5.5.0.5562 installed
  • use dynaTrace standalone Client
  • use Java 6 update 60 or lower
  • apply public FixPack 5.5.0.5562 (or upgrade to a newer dynaTrace version) AND
    use Java 7
10/22/20135.5

JDBC Statement Aggregation can cause a NullPointerException in JDBC Sensor that crashes the Application

10/17/20135.5 or lowver

dynaTrace WebStart client no longer starts after upgrading to Java 7 update 45.

Details:

dynaTrace Webstart Client 5.5 (or lower) doesn’t start with Oracle JRE 7 update 45 (or higher).

The problem is caused by a change of policy within Oracles Critical Patch Update (CPU) – October 2013, not to allow setting custom system properties for Web Start applications anymore, unless the optional JNLP signing feature isn’t used. Since Eclipse RCP applications are heavily using system properties like eclipse.product, osgi.bundles or osgi.instance.area, several Eclipse RCP based applications being launched via Java Web Start, like the dynaTrace Webstart Client, are affected.

Please note that Java 7 is not officially supported for dynaTrace 5.5 or lower.

  • install Public FixPack 5.5.0.5562
  • or use standalone client
  • or downgrade to Java 7 update 40 or lower
  • or upgrade to the upcoming dynaTrace 5.6
  • No labels
  1. Anonymous (login to see details)

    Did you know that you can add yourself as "watcher" of this page to get notified about new alerts published here?

  2. Anonymous (login to see details)

    click on tools, then select watch.

  3. Anonymous (login to see details)

    Done! Good advice!