Solved: Dynatrace version 1.228.136 - fixes for vulnerabilities

leelamoneykanta · ‎17 Jan 2022

HI ALL,

Today we upgraded our dynatrace version to 1.228.136, does this version have any vulnerabilities, i hope fixes are done for his version? In the next few weeks we are going to update 1.230.148

MaciejNeumann · ‎18 Jan 2022

Hi @leelamoneykanta ,

In this article you can check all the updates about the Log4j vulnerability, with status of impact and updates for Dynatrace products:
Log4j vulnerability (Log4Shell)

If you have any questions about the Community, you can contact me at maciej.neumann@dynatrace.com

Radoslaw_Szulgo · ‎18 Jan 2022

Yes, see updated release notes:

https://www.dynatrace.com/support/help/shortlink/release-notes-managed-sprint-228#managed-sprint-228...

Update 136 (Build 1.228.136)

This cumulative update contains 4 resolved issue (including 3 vulnerability resolutions) and all previously released updates for the 1.228 release.

Cluster

Vulnerability: In response to CVE-2021-44228 and CVE-2021-45046, applied the recommended mitigation measures of removing `org/apache/logging/log4j/core/lookup/JndiLookup.class` from the Log4j library. (APM-342160)
Vulnerability: In response to CVE-2021-44832, CVE-2021-45105, CVE-2021-44228 and CVE-2021-45046, applied the recommended mitigation measures of updating the log4j library to the latest version 2.17.1. In Premium HA installations log4j update will take place in near future. (APM-345946)
Vulnerability: In response to CVE-2021-44228 (Log4j vulnerability), JVM parameters have been extended for Dynatrace Server and Elasticsearch. (APM-341605)
Improved baselining alert sensitivity for Settings 2.0 configurations to ensure appropriate alerting. (APM-341879)

Senior Product Manager,
Dynatrace Managed expert

fstekelenburg · ‎26 Jan 2022

JndiLookup.class is still part of the updated esshadow7-7.10.0-11.jar, after latest Managed update.
Is this still a concern? It triggers the deep scans of customer's hosting provider

/var/opt/dynatrace/managed/server/lib/esshadow7-7.10.0-11.jar | grep JndiLookup
3143 12-27-2021 17:30 org/apache/logging/log4j/core/lookup/JndiLookup.class

Elasticsearch itself removed the class from their updated code:
Introducing 7.16.2 and 6.8.22 releases of Elasticsearch and Logstash to upgrade Apache Log4j2 | Elas...

Kind regards, Frans Stekelenburg Certified Dynatrace Associate | measure.works, Dynatrace Partner

Radoslaw_Szulgo · ‎26 Jan 2022

That's not the Elasticsearch server but our Dynatrace Server. Specifically this is Elasticsearch client library. The Log4j library used in the Elasticsearch client library (esshadow-7.10.0-x.jar) was not affected by any of the Log4j CVEs and was also updated to 2.17.1 in Dynatrace Managed version 1.228.136.20220113-162730 and greater.

Senior Product Manager,
Dynatrace Managed expert

fstekelenburg · ‎27 Jan 2022

Thanks, adding the similar response I received from support with details:

As for the esshadow jar did originally contain the JndiLookup.class file, but future releases will have this removed (Managed 1.234+ will have this removed). However, please note, esshadow does not call the vulnerable code at all. The log4j library bundled in esshadow is only used in exactly one spot to log an internal class name. No user input is ever logged by this log4j instance. However, if this is still present this can also be removed with the below zip command, followed by a restart of the cluster.

zip -q -d <jar-filename> org/apache/logging/log4j/core/lookup/JndiLookup.class

Kind regards, Frans Stekelenburg Certified Dynatrace Associate | measure.works, Dynatrace Partner