topic Re: Impact of log4j zero day vulnerability in Open Q&A

Impact of log4j zero day vulnerability

Enrico_F — Fri, 10 Dec 2021 12:10:16 GMT

Today a high severity zero day vulnerability impacting the very popular log4j package has been published:

https://www.randori.com/blog/cve-2021-44228/

https://www.lunasec.io/docs/blog/log4j-zero-day/

I would be interested to know if any Dynatrace components are known to be affected and if so, how exactly, what's the risk of compromise and if there is anything that can be done from a user/customer perspective to help minimize the risk of exploits.

I've already approached support but haven't received any response yet.

Any feedback is appreciated.

Re: Impact of log4j zero day vulnerability

Enrico_F — Fri, 10 Dec 2021 12:07:17 GMT

My own digging on our managed cluster nodes (1.226) has revealed this:

$ ls -l /opt/dynatrace-managed/elasticsearch/lib | grep log4j
-rw-r--r--. 1 dynatrace dynatrace 264060 May 11 2020 log4j-api-2.11.1.jar
-rw-r--r--. 1 dynatrace dynatrace 1607947 May 11 2020 log4j-core-2.11.1.jar

So it seems the bundled ES component might be affected...

Re: Impact of log4j zero day vulnerability

ben_davidson — Fri, 10 Dec 2021 16:39:18 GMT

Hi Enrico,

Our team is aware and actively investigating this issue. We've released the following statement:

Dynatrace is currently investigating potential exposure of the Log4Shell (CVE-2021-44228) vulnerability. Dynatrace is treating this as a critical vulnerability and follows its incident response procedures. In case Dynatrace identifies an exposure of this vulnerability to our customers, we are going to proactively inform affected customers within the next 72 hours.

Re: Impact of log4j zero day vulnerability

ChadTurner — Fri, 10 Dec 2021 20:48:35 GMT

Thanks @Enrico_F . Waiting on confirmation for SaaS Customers. I'll post any news we get.

Re: Impact of log4j zero day vulnerability

melorymonie — Fri, 10 Dec 2021 21:16:45 GMT

Hi,

is it possible to use Dynatrace to find all servers/services that use log4j?

Re: Impact of log4j zero day vulnerability

deon_allen — Fri, 10 Dec 2021 21:40:54 GMT

We found that only Synthetic use it. So if you have an activegate with synthetics on it will have Log4J.

Re: Impact of log4j zero day vulnerability

kb00563121 — Sat, 11 Dec 2021 03:04:31 GMT

we are using Activegate for our Synthetic Monitoring , will our Activegate and other systems were also get impacted and also we are using SaaS tenant.

Re: Impact of log4j zero day vulnerability

jonathanp — Sat, 11 Dec 2021 05:28:30 GMT

Hi All,

Does anyone have any updates on this?
Synthetics have log4j2, but what I can't tell is the version that it is running. -- anyone else ?

Would be good to know what Active Gate versions are affected..

Re: Impact of log4j zero day vulnerability

AntonioSousa — Sat, 11 Dec 2021 15:48:22 GMT

The new Application Security offering should be able to point this out in your applications.

Re: Impact of log4j zero day vulnerability

AntonioSousa — Sat, 11 Dec 2021 16:01:26 GMT

I have not confirmed, yes or no, that Synthetic Activegates are affected.

But looking at the description of the vulnerability, it will only happen if an attacker can inject some malicious code in synthetic measurements being done. I would say that most of the private synthetic use cases that I can imagine are not easily attackable.

For anyone involved, probably one of the best security measures would be cancelling LDAP traffic, or other JNDI related endpoints, out of the organization, in firewalls. Well, that should be something in place by default. It doesn't protect though against internal attackers. There are other mitigations possible, as referenced in https://logging.apache.org/log4j/2.x/security.html

Re: Impact of log4j zero day vulnerability

AntonioSousa — Sat, 11 Dec 2021 16:12:18 GMT

If the sha256 hash is the one below, it most certainly is:

d4485176aea67cc85f5ccc45bb66166f8bfc715ae4a695f0d870a1f8d848cc3d log4j-core-2.11.1.jar

Source: https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes/blob/main/sha256sums.txt

Re: Impact of log4j zero day vulnerability

tarjei — Sat, 11 Dec 2021 20:21:42 GMT

We have been scanned multiple times from different clients. There are also multiple log4j components in dynatrace managed.

Would be nice to get some feed back one whether the different important flags are set, and whether DT Managed is vulnerable.

Re: Impact of log4j zero day vulnerability

anton_goosen — Sat, 11 Dec 2021 20:37:14 GMT

Dear valued customer,

We want to inform you that in response to the recently published vulnerability of log4j (CVE-2021-44228) the Dynatrace team has rigorously reviewed any potential exposure and risks arising from the vulnerability.

We have updated all components of our cloud services where a risk could not be ruled out and our cloud services are currently not exposed to the vulnerability. We have equally ruled out any potential risk for the Dynatrace Managed cluster and OneAgent.

While investigations are still ongoing, we have, out of an abundance of caution, provided updates for the Synthetic Chromium component (used only in ActiveGates running Private Synthetic tests) with an updated version of log4j which is not affected by this vulnerability.

By default, this upgrade is applied automatically. In case the auto update functionality for ActiveGates has been disabled, we recommend customers manually trigger the upgrade. The following Synthetic Chromium versions use the updated log4j version:

1.229.49.20211210-165018
1.227.31.20211210-164955
1.225.29.20211210-164930
1.223.30.20211210-164926

What do I do if I have questions?

If you have any questions, please reach out to us using our in-product assistance from within your Dynatrace environment or open a Ticket in our Support-Portal.

Sincerely,
Dynatrace ONE

Re: Impact of log4j zero day vulnerability

tarjei — Sat, 11 Dec 2021 20:41:41 GMT

Where did you get this? I have not gotten this.

Re: Impact of log4j zero day vulnerability

sureshKumarK — Sat, 11 Dec 2021 20:43:56 GMT

Hi, Could someone confirm whether any other component than Synthetic monitoring/Synthetic enabled with Activegate is also impacted because of this issue? Our security team is concerned about ongoing vulnerability. Appreciate if someone from Dynatrace confirm whether Dynatrace SaaS and/or Dynatrace Managed are impacted. Thanks, Suresh.

Re: Impact of log4j zero day vulnerability

stefan_lexow — Sat, 11 Dec 2021 21:06:58 GMT

Hey Tarjei, Dynatrace targeted this message to customers which actively use Private Synthetic locations. Let me know if there is anything else I can help you with.

Re: Impact of log4j zero day vulnerability

tarjei — Sat, 11 Dec 2021 21:09:44 GMT

We use and manage private synthetic for at least 10 different customers, so I find it a bit strange that this has not reached us?

Re: Impact of log4j zero day vulnerability

stefan_lexow — Sat, 11 Dec 2021 21:30:03 GMT

Hey Tarjei, can you confirm that you are signed up as an "emergency contact" for these clusters as documented here?
https://www.dynatrace.com/support/help/how-to-use-dynatrace/user-management-and-sso/configure-emergency-contacts-saas/

Re: Impact of log4j zero day vulnerability

Henmar — Sat, 11 Dec 2021 22:14:32 GMT

Hi Stefan. I can confirm that I'm emergency contact on one of our clusters and no email has been received.

/Thomas

Re: Impact of log4j zero day vulnerability

ben_wrightson — Sat, 11 Dec 2021 22:16:41 GMT

Hi Suresh,

Anton has mentioned the other components are not affected:
"We have updated all components of our cloud services where a risk could not be ruled out and our cloud services are currently not exposed to the vulnerability. We have equally ruled out any potential risk for the Dynatrace Managed cluster and OneAgent."
Will that help your security team?
If they have any more questions, I'd recommend to use the in-product chat or contacting Support.