Today a high severity zero day vulnerability impacting the very popular log4j package has been published:
https://www.randori.com/blog/cve-2021-44228/
https://www.lunasec.io/docs/blog/log4j-zero-day/
I would be interested to know if any Dynatrace components are known to be affected and if so, how exactly, what's the risk of compromise and if there is anything that can be done from a user/customer perspective to help minimize the risk of exploits.
I've already approached support but haven't received any response yet.
Any feedback is appreciated.
Solved! Go to Solution.
Fixed versions of Dynatrace mentioned in official communication:
1.230.127.20211213-130244, 1.228.131.20211213-130253, 1.226.128.20211213-130354
contains same elastic/log4j versions as nonfixed, but with added elastic jvm parameter "-Dlog4j2.formatMsgNoLookups=true".
Hey DnyaMight Pro
This of course is impacting our Managed Cluster Nodes! We're currently on version 1.230.127.20211213-130244. Our infosec team would like know if the lower lo4j (2.11) can be removed without causing any impact as our scans will continue to highlight these libraries..
Can the log4j be upgraded? If so, what are the steps?
Dear valued customers,
we would like to inform you that Dynatrace just published a website summarizing the current state and findings in regards to the current log4j situation. You can find the article here:
https://www.dynatrace.com/news/security-alert/log4shell-log4j-vulnerability/
Dynatrace expects to update this document as new information becomes available.
As all official communication about this topic will be done from now on through the article Stefan posted, Dynatrace chat and support tickets, I'm closing this thread for now - as soon as I will get a green light again, it will be reopened (hopefully pretty shortly 🙂)
24 Jan 2022
05:45 AM
- last edited on
25 Jan 2022
06:03 AM
by
MaciejNeumann
To learn more about how the Log4Shell vulnerability itself works and how to mitigate it, check out the following resources: