FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
New Article

Report a security vulnerability

stefanie_pachne
Dynatrace Organizer
Dynatrace Organizer

‎03 Oct 2022 12:04 PM - edited ‎31 May 2024 08:16 AM

This is a Self Service Diagnostics article of type Partial-Self-Service.

 

Self Service Summary

Issue Solution Tasks Alternative
A Dynatrace component is suspected to be vulnerable.

Get in touch with Support after and checking cve-status.dynatrace.com 

  1. Check Dynatrace CVE status (Common Vulnerabilities and Exposures) page at cve-status.dynatrace.com for summaries of known vulnerabilities and exposures in Dynatrace components. 

  2. If no one else has reported the problem, create a support ticket.

    1. Gather below listed information with your security team.

    2. Consider below listed best practices for scanning a Dynatrace component.
    3. Consider tips after scanning and before reporting scan results to Dynatrace for a quick resolution.

    4. Create the ticket using this link.

 Search CVE-# within the Release Notes 

 

Support Ticket Content

Work with your Security Team to provide the following Self Service Diagnostics:

  1. Dynatrace component: Which component incl. version is suspected to be vulnerable (e.g. SaaS 1.240, Managed 1.240, OneAgent 1.240, ActiveGate 1.239, Dynatrace API 1.240, Cloud Automation 240.1.0)
  2. Vulnerability source and details: Describe how the vulnerability was found and attach if applicable:
    • CVE-#
    • Tool/scanner name
    • Path to the affected library
    • Complete report/test result
    • How to reproduce the security concern/pentest (e.g. attack vector, exploit)
    • Severity level or CVSS
  3. Required update: As a customer, I want to know e.g.
    • If I am affected
    • How I am affected
    • If it is of high severity
    • In which version it will be fixed
    • When the fix version will be available

What / how to scan

  • Scan and report security findings for the latest version of the Dynatrace component.

    • We officially support many versions of OneAgent, ActiveGate, Operator, etc. but our development teams will not re-release an old version, unless there is evidence that we are indeed affected by a vulnerability, or the vulnerability is highly severe and we cannot rule out the likelihood of practical exploitation.

    • CVEs related to operating system components (curl, glibc, gnutls, etc.) can only be fixed by updating the used container base images. We do not maintain these base images ourselves but use minimal and hardened base images from external publishers.

  • When scanning Dynatrace container images for vulnerabilities, perform security checks on the static, non-running image.

    • Some scanning appliances collect insights from running container workloads. The problem with this type of dynamic check is that scanners often cannot distinguish whether a security problem actually affects our image or the environment it is running in. Our development teams cannot make statements about CVEs that relate to components outside of our control and it is the customer’s responsibility to ensure that they are up to date.

    • If scanning tools are technically limited to checking only running container workloads, it is crucial that customers triage found CVEs upfront and filter out any items that have no obvious connection to OneAgent, ActiveGate, or Operator in their respective file paths.

      • Dynatrace assets are typically located in paths, such as /opt/dynatrace , /var/lib/dynatrace or /var/log/dynatrace

What to check after the scan

  • Check if there is a Dynatrace setting for the affected component, e.g. ActiveGate or Managed certificates are managed on your/customer side. See also: 

  • Check if a newer version of Dynatrace OneAgent, ActiveGate, Operator, etc. is available. If yes, update and then repeat the scan process.

  • To check the status of individual CVEs, see if a statement available on https://cve-status.dynatrace.com

  • When reporting CVEs for scanned container images, it is important to provide an exact image identifier (where it was downloaded from), to indicate which version was scanned, and which scanner was used.

    • Note that latest is not a valid version. It is a tag that always references the newest version and is reset whenever a new release is published.

  • Dynatrace Operator downloads OneAgent. CVE findings related to OneAgent are often falsely reported as impacting DT Operator. A good indicator to spot that findings are related to OneAgent is if the scanned image also includes an identifier, such as linux/oneagent.

  • If Dynatrace Operator is used, you can refer to its Software Bill of Materials (SBOM) to obtain a list of all components included in the image. Only CVE findings that relate to one of the shipped components can potentially be handled by Dynatrace.

  • For other assets, you can find the components in the corresponding open source report file provided in our Trust Center.

Version history
Last update:
‎31 May 2024 08:16 AM
Updated by:
Dynatrace Organizer
Comments
ChadTurner
DynaMight Legend
DynaMight Legend
‎10 Jan 2023 01:57 PM

Great  template, thanks @stefanie_pachne