This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Dynatrace version 1.228.136 - fixes for vulnerabilities

Go to solution
leelamoneykanta
Newcomer

‎18 Jan 2022 07:53 AM - last edited on ‎18 Jan 2022 08:26 AM by Community Team

HI ALL,

 

Today we upgraded our dynatrace version to 1.228.136, does this version have any vulnerabilities, i hope fixes are done for his version? In the next few weeks we are going to update 1.230.148

0 Kudos
Reply
5 REPLIES 5

Go to solution
MaciejNeumann
Community Team
Community Team

‎18 Jan 2022 08:30 AM

Hi @leelamoneykanta ,

 

In this article you can check all the updates about the Log4j vulnerability, with status of impact and updates for Dynatrace products:
Log4j vulnerability (Log4Shell) 

 

If you have any questions about the Community, you can contact me at maciej.neumann@dynatrace.com
Reply

Go to solution
Radoslaw_Szulgo
Inactive

‎18 Jan 2022 09:21 AM

Yes, see updated release notes:

https://www.dynatrace.com/support/help/shortlink/release-notes-managed-sprint-228#managed-sprint-228...

 

Update 136 (Build 1.228.136)

This cumulative update contains 4 resolved issue (including 3 vulnerability resolutions) and all previously released updates for the 1.228 release.

Cluster

  • Vulnerability: In response to CVE-2021-44228 and CVE-2021-45046, applied the recommended mitigation measures of removing `org/apache/logging/log4j/core/lookup/JndiLookup.class` from the Log4j library. (APM-342160)
  • Vulnerability: In response to CVE-2021-44832, CVE-2021-45105, CVE-2021-44228 and CVE-2021-45046, applied the recommended mitigation measures of updating the log4j library to the latest version 2.17.1. In Premium HA installations log4j update will take place in near future. (APM-345946)
  • Vulnerability: In response to CVE-2021-44228 (Log4j vulnerability), JVM parameters have been extended for Dynatrace Server and Elasticsearch. (APM-341605)
  • Improved baselining alert sensitivity for Settings 2.0 configurations to ensure appropriate alerting. (APM-341879)
Senior Product Manager,
Dynatrace Managed expert
Reply

Go to solution
fstekelenburg
DynaMight Pro
DynaMight Pro

‎26 Jan 2022 02:08 PM - edited ‎26 Jan 2022 02:09 PM

JndiLookup.class is still part of the updated esshadow7-7.10.0-11.jar, after latest Managed update.
Is this still a concern? It triggers the deep scans of customer's hosting provider

 

/var/opt/dynatrace/managed/server/lib/esshadow7-7.10.0-11.jar | grep JndiLookup
3143 12-27-2021 17:30 org/apache/logging/log4j/core/lookup/JndiLookup.class


Elasticsearch itself removed the class from their updated code:
Introducing 7.16.2 and 6.8.22 releases of Elasticsearch and Logstash to upgrade Apache Log4j2 | Elas... 

Kind regards, Frans Stekelenburg                 Certified Dynatrace Associate | measure.works, Dynatrace Partner
0 Kudos
Reply

Go to solution
Radoslaw_Szulgo
Inactive
In response to fstekelenburg

‎26 Jan 2022 02:30 PM

That's not the Elasticsearch server but our  Dynatrace Server. Specifically this is Elasticsearch client library. The Log4j library used in the Elasticsearch client library (esshadow-7.10.0-x.jar) was not affected by any of the Log4j CVEs and was also updated to 2.17.1 in Dynatrace Managed version 1.228.136.20220113-162730 and greater. 

 

Senior Product Manager,
Dynatrace Managed expert
Reply

Go to solution
fstekelenburg
DynaMight Pro
DynaMight Pro
In response to Radoslaw_Szulgo

‎27 Jan 2022 09:44 AM

Thanks, adding the similar response I received from support with details:

As for the esshadow jar did originally contain the JndiLookup.class file, but future releases will have this removed (Managed 1.234+ will have this removed). However, please note, esshadow does not call the vulnerable code at all. The log4j library bundled in esshadow  is only used in exactly one spot to log an internal class name. No user input is ever logged by this log4j instance. However, if this is still present this can also be removed with the below zip command, followed by a restart of the cluster.

 

zip -q -d <jar-filename> org/apache/logging/log4j/core/lookup/JndiLookup.class
Kind regards, Frans Stekelenburg                 Certified Dynatrace Associate | measure.works, Dynatrace Partner
0 Kudos
Reply
Ask a question

Featured Posts