FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Impact of log4j zero day vulnerability

Go to solution
Enrico_F
DynaMight Pro
DynaMight Pro

‎10 Dec 2021 03:20 AM - edited ‎10 Dec 2021 04:10 AM

Today a high severity zero day vulnerability impacting the very popular log4j package has been published:

 

https://www.randori.com/blog/cve-2021-44228/

https://www.lunasec.io/docs/blog/log4j-zero-day/

 

I would be interested to know if any Dynatrace components are known to be affected and if so, how exactly, what's the risk of compromise and if there is anything that can be done from a user/customer perspective to help minimize the risk of exploits.

 

I've already approached support but haven't received any response yet.

 

Any feedback is appreciated.

Labels:
Reply
44 REPLIES 44

Go to solution
rastislav_danis
DynaMight Pro
DynaMight Pro

‎15 Dec 2021 04:37 AM

Fixed versions of Dynatrace mentioned in official communication:

1.230.127.20211213-130244, 1.228.131.20211213-130253, 1.226.128.20211213-130354
contains same elastic/log4j versions as nonfixed, but with added elastic jvm parameter "-Dlog4j2.formatMsgNoLookups=true".

0 Kudos
Reply

Go to solution
DTAnalyst
Visitor

‎15 Dec 2021 07:18 AM

Hey DnyaMight Pro

 

This of course is impacting our Managed Cluster Nodes!  We're currently on version 1.230.127.20211213-130244.  Our infosec team would like know if the lower lo4j (2.11) can be removed without causing any impact as our scans will continue to highlight these libraries..

Can the log4j be upgraded?  If so, what are the steps?  

0 Kudos
Reply

Go to solution
stefan_lexow
Dynatrace Advocate
Dynatrace Advocate

‎15 Dec 2021 11:15 AM

Dear valued customers,

 

we would like to inform you that Dynatrace just published a website summarizing the current state and findings in regards to the current log4j situation. You can find the article here:
https://www.dynatrace.com/news/security-alert/log4shell-log4j-vulnerability/

Dynatrace expects to update this document as new information becomes available.

Reply

Go to solution
MaciejNeumann
Community Team
Community Team

‎15 Dec 2021 11:55 AM - edited ‎15 Dec 2021 11:57 AM

As all official communication about this topic will be done from now on through the article Stefan posted, Dynatrace chat and support tickets, I'm closing this thread for now - as soon as I will get a green light again, it will be reopened (hopefully pretty shortly 🙂)

If you have any questions about the Forum, you can contact me at maciej.neumann@dynatrace.com
0 Kudos
Reply

Go to solution
ghaydtner
Community Team
Community Team

‎24 Jan 2022 05:45 AM - last edited on ‎25 Jan 2022 06:03 AM by Community Team

To learn more about how the Log4Shell vulnerability itself works and how to mitigate it, check out the following resources:

Reply
Ask a question