topic Re: Dynatrace version 1.228.136 - fixes for vulnerabilities in Open Q&A

Dynatrace version 1.228.136 - fixes for vulnerabilities

leelamoneykanta — Tue, 18 Jan 2022 08:26:11 GMT

HI ALL,

Today we upgraded our dynatrace version to 1.228.136, does this version have any vulnerabilities, i hope fixes are done for his version? In the next few weeks we are going to update 1.230.148

Re: Dynatrace version 1.228.136 - fixes for vulnerabilities

MaciejNeumann — Tue, 18 Jan 2022 08:30:41 GMT

Hi @leelamoneykanta ,

In this article you can check all the updates about the Log4j vulnerability, with status of impact and updates for Dynatrace products:
Log4j vulnerability (Log4Shell)

Re: Dynatrace version 1.228.136 - fixes for vulnerabilities

Radoslaw_Szulgo — Tue, 18 Jan 2022 09:21:30 GMT

Yes, see updated release notes:

https://www.dynatrace.com/support/help/shortlink/release-notes-managed-sprint-228#managed-sprint-228-136

Update 136 (Build 1.228.136)

This cumulative update contains 4 resolved issue (including 3 vulnerability resolutions) and all previously released updates for the 1.228 release.

Cluster

Vulnerability: In response to CVE-2021-44228 and CVE-2021-45046, applied the recommended mitigation measures of removing `org/apache/logging/log4j/core/lookup/JndiLookup.class` from the Log4j library. (APM-342160)
Vulnerability: In response to CVE-2021-44832, CVE-2021-45105, CVE-2021-44228 and CVE-2021-45046, applied the recommended mitigation measures of updating the log4j library to the latest version 2.17.1. In Premium HA installations log4j update will take place in near future. (APM-345946)
Vulnerability: In response to CVE-2021-44228 (Log4j vulnerability), JVM parameters have been extended for Dynatrace Server and Elasticsearch. (APM-341605)
Improved baselining alert sensitivity for Settings 2.0 configurations to ensure appropriate alerting. (APM-341879)

Re: Dynatrace version 1.228.136 - fixes for vulnerabilities

fstekelenburg — Wed, 26 Jan 2022 14:09:40 GMT

JndiLookup.class is still part of the updated esshadow7-7.10.0-11.jar, after latest Managed update.
Is this still a concern? It triggers the deep scans of customer's hosting provider

/var/opt/dynatrace/managed/server/lib/esshadow7-7.10.0-11.jar | grep JndiLookup
3143 12-27-2021 17:30 org/apache/logging/log4j/core/lookup/JndiLookup.class

Elasticsearch itself removed the class from their updated code:
Introducing 7.16.2 and 6.8.22 releases of Elasticsearch and Logstash to upgrade Apache Log4j2 | Elastic Blog

Re: Dynatrace version 1.228.136 - fixes for vulnerabilities

Radoslaw_Szulgo — Wed, 26 Jan 2022 14:30:04 GMT

That's not the Elasticsearch server but our Dynatrace Server. Specifically this is Elasticsearch client library. The Log4j library used in the Elasticsearch client library (esshadow-7.10.0-x.jar) was not affected by any of the Log4j CVEs and was also updated to 2.17.1 in Dynatrace Managed version 1.228.136.20220113-162730 and greater.

Re: Dynatrace version 1.228.136 - fixes for vulnerabilities

fstekelenburg — Thu, 27 Jan 2022 09:44:22 GMT

Thanks, adding the similar response I received from support with details:

As for the esshadow jar did originally contain the JndiLookup.class file, but future releases will have this removed (Managed 1.234+ will have this removed). However, please note, esshadow does not call the vulnerable code at all. The log4j library bundled in esshadow is only used in exactly one spot to log an internal class name. No user input is ever logged by this log4j instance. However, if this is still present this can also be removed with the below zip command, followed by a restart of the cluster.

zip -q -d <jar-filename> org/apache/logging/log4j/core/lookup/JndiLookup.class