cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Looking to upgrade from Dynatrace Managed to SaaS? See how

OpenSSL CVE-2023-5678

Suryanto_1
Helper

Tenable flag a medium vulnerability - https://www.tenable.com/cve/CVE-2023-5678


From Dynatrace official community post on CVE-2023-5678 was posted months back.

Quote: "Not affected. Vulnerable library is part of the base image"

Affected library: OpenSSL (1.0.2 - <1.0.2zj, 1.1.0-<1.1.1x, 3.0.0-<3.0.13, 3.1.0-<3.1.05)

https://community.dynatrace.com/t5/Heads-up-from-Dynatrace/Dynatrace-CVE-status-Common-Vulnerabiliti...


In recent Dynatrace Managed version 1.286. Dynatrace actually went to update the OpenSSL to 1.1.1w. One version below x.

What baffles us is as follows

1) Since this is to Dynatrace not affected. Why would they upgrade to 1.1.1w?

2) And why wouldnt they go straight to 1.1.1x instead of 1.1.1w


3) We even ask if we could remove the flagged file since we were told its part of the base image but were told there are dependecies.

Path - /usr/opt/dynatrace-managed/installer/bin/libssl.so.1.1
Path - /usr/opt/dynatrace-managed/installer/bin/libcrypto.so.1.1

Path - /usr/install/_DTTMP_20230418_092419/bin/libssl.so.1.1
Path - /usr/install/_DTTMP_20230418_092419/bin/libcrypto.so.1.1


Could anyone enlighten us based on your expereience with Dynatrace? Thanks!

 

 

3 REPLIES 3

Julius_Loman
DynaMight Legend
DynaMight Legend

@Suryanto_1  you are looking at a different component in the list of CVEs.

For Managed it's further down in the list:

Julius_Loman_0-1710747308257.png

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner

Suryanto_1
Helper

 We even ask if we could remove the flagged file (below) as clealy the path are managed

However we were told its part of the base image and there are dependencies so its NOT recommended to remove!

Path - /usr/opt/dynatrace-managed/installer/bin/libssl.so.1.1
Path - /usr/opt/dynatrace-managed/installer/bin/libcrypto.so.1.1

Path - /usr/install/_DTTMP_20230418_092419/bin/libssl.so.1.1
Path - /usr/install/_DTTMP_20230418_092419/bin/libcrypto.so.1.1

No, you shall not remove those files.

As stated above - Managed is not affected as it is not using the vulnerable code in this CVE.  If you are still in doubt, reach out to Dynatrace as described here: 
https://docs.dynatrace.com/managed/shortlink/who-to-contact-security

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner

Featured Posts