https://community.dynatrace.com/t5/Dynatrace-Managed-Q-A/OpenSSL-CVE-2023-5678/m-p/240174#M3249 <P>No, you shall not remove those files.<BR /><BR />As stated above - Managed is not affected as it is not using the vulnerable code in this CVE.&nbsp; If you are still in doubt, reach out to Dynatrace as described here:&nbsp;<BR /><A href="https://docs.dynatrace.com/managed/shortlink/who-to-contact-security" target="_blank">https://docs.dynatrace.com/managed/shortlink/who-to-contact-security</A></P> Mon, 18 Mar 2024 08:11:56 GMT Julius_Loman 2024-03-18T08:11:56Z https://community.dynatrace.com/t5/Dynatrace-Managed-Q-A/OpenSSL-CVE-2023-5678/m-p/240143#M3246 <P>Tenable flag a medium vulnerability - <A href="https://www.tenable.com/cve/CVE-2023-5678" target="_blank">https://www.tenable.com/cve/CVE-2023-5678</A></P><P><BR />From Dynatrace official community post on CVE-2023-5678 was posted months back.</P><P>Quote: "Not affected. Vulnerable library is part of the base image"</P><P>Affected library: OpenSSL (1.0.2 - &lt;1.0.2zj, 1.1.0-&lt;1.1.1x, 3.0.0-&lt;3.0.13, 3.1.0-&lt;3.1.05)</P><P><A href="https://community.dynatrace.com/t5/Heads-up-from-Dynatrace/Dynatrace-CVE-status-Common-Vulnerabilities-and-Exposures/ta-p/214793" target="_blank">https://community.dynatrace.com/t5/Heads-up-from-Dynatrace/Dynatrace-CVE-status-Common-Vulnerabilities-and-Exposures/ta-p/214793</A></P><P><BR />In recent Dynatrace Managed version 1.286. Dynatrace actually went to update the OpenSSL to 1.1.1w. One version below x.</P><P>What baffles us is as follows</P><P>1) Since this is to Dynatrace not affected. Why would they upgrade to 1.1.1w?</P><P>2) And why wouldnt they go straight to 1.1.1x instead of 1.1.1w</P><P><BR />3) We even ask if we could remove the flagged file since we were told its part of the base image but were told there are dependecies.</P><P>Path - /usr/opt/dynatrace-managed/installer/bin/libssl.so.1.1<BR />Path - /usr/opt/dynatrace-managed/installer/bin/libcrypto.so.1.1</P><P>Path - /usr/install/_DTTMP_20230418_092419/bin/libssl.so.1.1<BR />Path - /usr/install/_DTTMP_20230418_092419/bin/libcrypto.so.1.1</P><P><BR />Could anyone enlighten us based on your expereience with Dynatrace? Thanks!</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 18 Mar 2024 06:45:21 GMT https://community.dynatrace.com/t5/Dynatrace-Managed-Q-A/OpenSSL-CVE-2023-5678/m-p/240143#M3246 Suryanto_1 2024-03-18T06:45:21Z https://community.dynatrace.com/t5/Dynatrace-Managed-Q-A/OpenSSL-CVE-2023-5678/m-p/240159#M3247 <P><a href="https://community.dynatrace.com/t5/user/viewprofilepage/user-id/66727">@Suryanto_1</a>&nbsp; you are looking at a different component in the list of CVEs.<BR /><BR />For Managed it's further down in the list:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Julius_Loman_0-1710747308257.png" style="width: 400px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/18335i14DC24539ACAE23B/image-size/medium?v=v2&amp;px=400" role="button" title="Julius_Loman_0-1710747308257.png" alt="Julius_Loman_0-1710747308257.png" /></span></P> Mon, 18 Mar 2024 07:35:40 GMT https://community.dynatrace.com/t5/Dynatrace-Managed-Q-A/OpenSSL-CVE-2023-5678/m-p/240159#M3247 Julius_Loman 2024-03-18T07:35:40Z https://community.dynatrace.com/t5/Dynatrace-Managed-Q-A/OpenSSL-CVE-2023-5678/m-p/240164#M3248 <P><SPAN>&nbsp;</SPAN>We even ask if we could remove the flagged file (below) as clealy the path are managed</P><P>However we were told its part of the base image and there are dependencies so its NOT recommended to remove!</P><P>Path - /usr/opt/dynatrace-managed/installer/bin/libssl.so.1.1<BR />Path - /usr/opt/dynatrace-managed/installer/bin/libcrypto.so.1.1</P><P>Path - /usr/install/_DTTMP_20230418_092419/bin/libssl.so.1.1<BR />Path - /usr/install/_DTTMP_20230418_092419/bin/libcrypto.so.1.1</P> Mon, 18 Mar 2024 07:39:26 GMT https://community.dynatrace.com/t5/Dynatrace-Managed-Q-A/OpenSSL-CVE-2023-5678/m-p/240164#M3248 Suryanto_1 2024-03-18T07:39:26Z https://community.dynatrace.com/t5/Dynatrace-Managed-Q-A/OpenSSL-CVE-2023-5678/m-p/240174#M3249 <P>No, you shall not remove those files.<BR /><BR />As stated above - Managed is not affected as it is not using the vulnerable code in this CVE.&nbsp; If you are still in doubt, reach out to Dynatrace as described here:&nbsp;<BR /><A href="https://docs.dynatrace.com/managed/shortlink/who-to-contact-security" target="_blank">https://docs.dynatrace.com/managed/shortlink/who-to-contact-security</A></P> Mon, 18 Mar 2024 08:11:56 GMT https://community.dynatrace.com/t5/Dynatrace-Managed-Q-A/OpenSSL-CVE-2023-5678/m-p/240174#M3249 Julius_Loman 2024-03-18T08:11:56Z