cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Dynatrace version 1.228.136 - fixes for vulnerabilities

leelamoneykanta
Newcomer

HI ALL,

 

Today we upgraded our dynatrace version to 1.228.136, does this version have any vulnerabilities, i hope fixes are done for his version? In the next few weeks we are going to update 1.230.148

5 REPLIES 5

MaciejNeumann
Community Team
Community Team

Hi @leelamoneykanta ,

 

In this article you can check all the updates about the Log4j vulnerability, with status of impact and updates for Dynatrace products:
Log4j vulnerability (Log4Shell) 

 

If you have any questions about the Forum, you can contact me at maciej.neumann@dynatrace.com

Radoslaw_Szulgo
Dynatrace Guru
Dynatrace Guru

Yes, see updated release notes:

https://www.dynatrace.com/support/help/shortlink/release-notes-managed-sprint-228#managed-sprint-228...

 

Update 136 (Build 1.228.136)

This cumulative update contains 4 resolved issue (including 3 vulnerability resolutions) and all previously released updates for the 1.228 release.

Cluster

  • Vulnerability: In response to CVE-2021-44228 and CVE-2021-45046, applied the recommended mitigation measures of removing `org/apache/logging/log4j/core/lookup/JndiLookup.class` from the Log4j library. (APM-342160)
  • Vulnerability: In response to CVE-2021-44832, CVE-2021-45105, CVE-2021-44228 and CVE-2021-45046, applied the recommended mitigation measures of updating the log4j library to the latest version 2.17.1. In Premium HA installations log4j update will take place in near future. (APM-345946)
  • Vulnerability: In response to CVE-2021-44228 (Log4j vulnerability), JVM parameters have been extended for Dynatrace Server and Elasticsearch. (APM-341605)
  • Improved baselining alert sensitivity for Settings 2.0 configurations to ensure appropriate alerting. (APM-341879)
Senior Product Manager,
Dynatrace Managed expert

fstekelenburg
DynaMight Pro
DynaMight Pro

JndiLookup.class is still part of the updated esshadow7-7.10.0-11.jar, after latest Managed update.
Is this still a concern? It triggers the deep scans of customer's hosting provider

 

/var/opt/dynatrace/managed/server/lib/esshadow7-7.10.0-11.jar | grep JndiLookup
3143 12-27-2021 17:30 org/apache/logging/log4j/core/lookup/JndiLookup.class


Elasticsearch itself removed the class from their updated code:
Introducing 7.16.2 and 6.8.22 releases of Elasticsearch and Logstash to upgrade Apache Log4j2 | Elas... 

That's not the Elasticsearch server but our  Dynatrace Server. Specifically this is Elasticsearch client library. The Log4j library used in the Elasticsearch client library (esshadow-7.10.0-x.jar) was not affected by any of the Log4j CVEs and was also updated to 2.17.1 in Dynatrace Managed version 1.228.136.20220113-162730 and greater. 

 

Senior Product Manager,
Dynatrace Managed expert

Thanks, adding the similar response I received from support with details:

As for the esshadow jar did originally contain the JndiLookup.class file, but future releases will have this removed (Managed 1.234+ will have this removed). However, please note, esshadow does not call the vulnerable code at all. The log4j library bundled in esshadow  is only used in exactly one spot to log an internal class name. No user input is ever logged by this log4j instance. However, if this is still present this can also be removed with the below zip command, followed by a restart of the cluster.

 

zip -q -d <jar-filename> org/apache/logging/log4j/core/lookup/JndiLookup.class