Hi Enrico, 

Our team is aware and actively investigating this issue. We've released the following statement:

Dynatrace is currently investigating potential exposure of the Log4Shell (CVE-2021-44228) vulnerability. Dynatrace is treating this as a critical vulnerability and follows its incident response procedures. In case Dynatrace identifies an exposure of this vulnerability to our customers, we are going to proactively inform affected customers within the next 72 hours.

Thanks @Enrico_F . Waiting on confirmation for SaaS Customers. I'll post any news we get. 

Hi,

is it possible to use Dynatrace to find all servers/services that use log4j?

we are using Activegate for our Synthetic Monitoring , will our Activegate and other systems were also get impacted and also we are using SaaS tenant.

Hi All,

Does anyone have any updates on this?
Synthetics have log4j2, but what I can't tell is the version that it is running.  -- anyone else ?

Would be good to know what Active Gate versions are affected..

I have not confirmed, yes or no, that Synthetic Activegates are affected.

But looking at the description of the vulnerability, it will only happen if an attacker can inject some malicious code in synthetic measurements being done. I would say that most of the private synthetic use cases that I can imagine are not easily attackable.

For anyone involved, probably one of the best security measures would be cancelling LDAP traffic, or other JNDI related endpoints, out of the organization, in firewalls. Well, that should be something in place by default. It doesn't protect though against internal attackers.  There are other mitigations possible, as referenced in https://logging.apache.org/log4j/2.x/security.html

We have been scanned multiple times from different clients. There are also multiple log4j components in dynatrace managed.

Would be nice to get some feed back one whether the different important flags are set, and whether DT Managed is vulnerable.

Hi, Could someone confirm whether any other component than Synthetic monitoring/Synthetic enabled with Activegate is also impacted because of this issue? Our security team is concerned about ongoing vulnerability. Appreciate if someone from Dynatrace confirm whether Dynatrace SaaS and/or Dynatrace Managed are impacted. Thanks, Suresh.

Thanks for the update @ben_wrightson and @anton_goosen your latest updates puts our team in a comfortable spot ATM 😊 But, please post further updates on this incident as soon as you have. Have a nice weekend!

Yesterday, Dynatrace has also published a blog post on this vulnerability: https://www.dynatrace.com/news/blog/log4j-vulnerability-identifying-and-minimizing-production-risk/  

HI.

elasticsearch has log4j 2.11.

And log4j is loaded in the process.

Restart the service by adding -Dlog4j2.formatMsgNoLookups=true to jvm.options in elasticsearch/config.

https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-es...

HI @Kalle,

According to https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-es..., what I can confirm is Elasticsearch is not susceptible to remote code execution with this vulnerability due to the use of the Java Security Manager.

Hi Nada,

How to check that we use Java Security Manager or is already activated by the module ?

Is the DynaTrace Android Mobile App impacted??

Hi all,

We are not installing active gate 

It does it mean we are not using this module and we are not impacted by the vulnearbility so we can remove the jar file ?

Hi Team, I am seeing log4j 2.15 is also discredited. So, may I know what Dynatrace team suggesting now?
 Please see this page https://github.com/apache/logging-log4j2/blob/release-2.x/src/site/markdown/security.md#history

Older (discredited) mitigation measures

This page previously mentioned other mitigation measures, but we discovered that these measures only limit exposure while leaving some attack vectors open.

The 2.15.0 release was found to still be vulnerable when the configuration has a pattern layout containing a Context Lookup (for example, $${ctx:loginId}), or a Thread Context Map pattern %X, %mdc or %MDC. When an attacker can control Thread Context values, they may inject a JNDI Lookup pattern, which will be evaluated and result in a JNDI connection. Log4j 2.15.0 restricts JNDI connections to localhost by default, but this may still result in DOS (Denial of Service) attacks, or worse.

Other insufficient mitigation measures are: setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true for releases >= 2.10, or modifying the logging configuration to disable message lookups with %m{nolookups}, %msg{nolookups} or %message{nolookups} for releases >= 2.7 and <= 2.14.1.

The reason these measures are insufficient is that, in addition to the Thread Context attack vector mentioned above, there are still code paths in Log4j where message lookups could occur: known examples are applications that use Logger.printf("%s", userInput), or applications that use a custom message factory, where the resulting messages do not implement StringBuilderFormattable. There may be other attack vectors.

The safest thing to do is to upgrade Log4j to a safe version, or remove the JndiLookup class from the log4j-core jar.

Fixed versions of Dynatrace mentioned in official communication:

1.230.127.20211213-130244, 1.228.131.20211213-130253, 1.226.128.20211213-130354
contains same elastic/log4j versions as nonfixed, but with added elastic jvm parameter "-Dlog4j2.formatMsgNoLookups=true".

Hey DnyaMight Pro

This of course is impacting our Managed Cluster Nodes!  We're currently on version 1.230.127.20211213-130244.  Our infosec team would like know if the lower lo4j (2.11) can be removed without causing any impact as our scans will continue to highlight these libraries..

Can the log4j be upgraded?  If so, what are the steps?  

As all official communication about this topic will be done from now on through the article Stefan posted, Dynatrace chat and support tickets, I'm closing this thread for now - as soon as I will get a green light again, it will be reopened (hopefully pretty shortly 🙂)