22 Dec 2021 06:29 AM - last edited on 03 Jan 2022 12:09 PM by MaciejNeumann
Has the following update been made available, if no when to expect?
Please note that the Dynatrace Managed versions listed below still include the vulnerable Log4j library file (/opt/dynatrace-managed/elasticsearch/lib/log4j-core-2.11.1.jar) due to the usage of Elasticsearch. Dynatrace has applied the recommended mitigation measures of removing the org/apache/logging/log4j/core/lookup/JndiLookup.class from the Log4j library. This fully mitigates CVE-2021-44228 and CVE-2021-45046.
An upgrade of Elasticsearch which uses an updated Log4j library is planned.
Solved! Go to Solution.
22 Dec 2021 08:36 AM
Hi @osadmin yes that update is available.
Please take a look at the official security alert article related to the log4j vulnerabilities, here:
https://www.dynatrace.com/news/security-alert/log4shell-log4j-vulnerability/
I believe it will answer all your questions, as it lists all the detected vulnerabilities and Dynatrace's response to each, including the updated versions of all affected components.