18 Mar 2024 06:45 AM
Tenable flag a medium vulnerability - https://www.tenable.com/cve/CVE-2023-5678
From Dynatrace official community post on CVE-2023-5678 was posted months back.
Quote: "Not affected. Vulnerable library is part of the base image"
Affected library: OpenSSL (1.0.2 - <1.0.2zj, 1.1.0-<1.1.1x, 3.0.0-<3.0.13, 3.1.0-<3.1.05)
In recent Dynatrace Managed version 1.286. Dynatrace actually went to update the OpenSSL to 1.1.1w. One version below x.
What baffles us is as follows
1) Since this is to Dynatrace not affected. Why would they upgrade to 1.1.1w?
2) And why wouldnt they go straight to 1.1.1x instead of 1.1.1w
3) We even ask if we could remove the flagged file since we were told its part of the base image but were told there are dependecies.
Path - /usr/opt/dynatrace-managed/installer/bin/libssl.so.1.1
Path - /usr/opt/dynatrace-managed/installer/bin/libcrypto.so.1.1
Path - /usr/install/_DTTMP_20230418_092419/bin/libssl.so.1.1
Path - /usr/install/_DTTMP_20230418_092419/bin/libcrypto.so.1.1
Could anyone enlighten us based on your expereience with Dynatrace? Thanks!
18 Mar 2024 07:35 AM
@Suryanto_1 you are looking at a different component in the list of CVEs.
For Managed it's further down in the list:
18 Mar 2024 07:39 AM
We even ask if we could remove the flagged file (below) as clealy the path are managed
However we were told its part of the base image and there are dependencies so its NOT recommended to remove!
Path - /usr/opt/dynatrace-managed/installer/bin/libssl.so.1.1
Path - /usr/opt/dynatrace-managed/installer/bin/libcrypto.so.1.1
Path - /usr/install/_DTTMP_20230418_092419/bin/libssl.so.1.1
Path - /usr/install/_DTTMP_20230418_092419/bin/libcrypto.so.1.1
18 Mar 2024 08:11 AM
No, you shall not remove those files.
As stated above - Managed is not affected as it is not using the vulnerable code in this CVE. If you are still in doubt, reach out to Dynatrace as described here:
https://docs.dynatrace.com/managed/shortlink/who-to-contact-security