https://community.dynatrace.com/t5/Troubleshooting/VA-scan-shows-LUCKY13-Vulnerability-for-our-Managed-component/ta-p/242425 <H2>Self Service Summary</H2> <P>Some customers have detected exposure to the "<STRONG>LUCKY13 Vulnerability attack</STRONG>" in their VA scans for our Managed component.<BR />Also known as <A title="CVE-2013-0169" href="https://nvd.nist.gov/vuln/detail/CVE-2013-0169" target="_blank" rel="noopener"><STRONG>CVE-2013-0169</STRONG></A>, this vulnerability has been analyzed and fixed.</P> <P><STRONG>We are not affected</STRONG>, there is no risk that the “Lucky13” can be exploited on our systems.</P> <P>&nbsp;</P> <TABLE> <TBODY> <TR> <TD>Issue</TD> <TD>Solution</TD> <TD>Tasks</TD> <TD>Alternative(s)</TD> </TR> <TR> <TD width="187.716px">LUCKY13 Vulnerability attack</TD> <TD width="74.9091px">We are not affected.</TD> <TD width="148.739px"><SPAN>Check below information and explain it to your Security Team</SPAN></TD> <TD width="399.545px"> <P><SPAN>The implementations used by Dynatrace are all up to date and contain the corresponding patches.</SPAN></P> <P><SPAN>Please submit a Support ticket if you have additional questions or concerns.</SPAN></P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>The use of cipher suites for TLS that operate in CBC mode can be considered an issue if the underlying implementation is not protected against this kind of attack.</P> <P>The “Lucky13” timing attack was found in 2013 and, as also stated in NVD - CVE-2013-0169, has since been mitigated in several libraries like: OpenSSL, PolarSSL, Mozilla NSS, gnuTLS, BouncyCastle, and basically all other industry-relevant libraries used for cryptographic purposes.</P> Wed, 17 Apr 2024 15:12:21 GMT LucaGalliani 2024-04-17T15:12:21Z https://community.dynatrace.com/t5/Troubleshooting/VA-scan-shows-LUCKY13-Vulnerability-for-our-Managed-component/ta-p/242425 <H2>Self Service Summary</H2> <P>Some customers have detected exposure to the "<STRONG>LUCKY13 Vulnerability attack</STRONG>" in their VA scans for our Managed component.<BR />Also known as <A title="CVE-2013-0169" href="https://nvd.nist.gov/vuln/detail/CVE-2013-0169" target="_blank" rel="noopener"><STRONG>CVE-2013-0169</STRONG></A>, this vulnerability has been analyzed and fixed.</P> <P><STRONG>We are not affected</STRONG>, there is no risk that the “Lucky13” can be exploited on our systems.</P> <P>&nbsp;</P> <TABLE> <TBODY> <TR> <TD>Issue</TD> <TD>Solution</TD> <TD>Tasks</TD> <TD>Alternative(s)</TD> </TR> <TR> <TD width="187.716px">LUCKY13 Vulnerability attack</TD> <TD width="74.9091px">We are not affected.</TD> <TD width="148.739px"><SPAN>Check below information and explain it to your Security Team</SPAN></TD> <TD width="399.545px"> <P><SPAN>The implementations used by Dynatrace are all up to date and contain the corresponding patches.</SPAN></P> <P><SPAN>Please submit a Support ticket if you have additional questions or concerns.</SPAN></P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>The use of cipher suites for TLS that operate in CBC mode can be considered an issue if the underlying implementation is not protected against this kind of attack.</P> <P>The “Lucky13” timing attack was found in 2013 and, as also stated in NVD - CVE-2013-0169, has since been mitigated in several libraries like: OpenSSL, PolarSSL, Mozilla NSS, gnuTLS, BouncyCastle, and basically all other industry-relevant libraries used for cryptographic purposes.</P> Wed, 17 Apr 2024 15:12:21 GMT https://community.dynatrace.com/t5/Troubleshooting/VA-scan-shows-LUCKY13-Vulnerability-for-our-Managed-component/ta-p/242425 LucaGalliani 2024-04-17T15:12:21Z