03 Oct 2022 12:04 PM - edited 31 May 2024 08:16 AM
This is a Self Service Diagnostics article of type Partial-Self-Service.
Issue | Solution | Tasks | Alternative |
A Dynatrace component is suspected to be vulnerable. |
Get in touch with Support after and checking cve-status.dynatrace.com |
|
Search CVE-# within the Release Notes |
Work with your Security Team to provide the following Self Service Diagnostics:
Scan and report security findings for the latest version of the Dynatrace component.
We officially support many versions of OneAgent, ActiveGate, Operator, etc. but our development teams will not re-release an old version, unless there is evidence that we are indeed affected by a vulnerability, or the vulnerability is highly severe and we cannot rule out the likelihood of practical exploitation.
CVEs related to operating system components (curl, glibc, gnutls, etc.) can only be fixed by updating the used container base images. We do not maintain these base images ourselves but use minimal and hardened base images from external publishers.
When scanning Dynatrace container images for vulnerabilities, perform security checks on the static, non-running image.
Some scanning appliances collect insights from running container workloads. The problem with this type of dynamic check is that scanners often cannot distinguish whether a security problem actually affects our image or the environment it is running in. Our development teams cannot make statements about CVEs that relate to components outside of our control and it is the customer’s responsibility to ensure that they are up to date.
If scanning tools are technically limited to checking only running container workloads, it is crucial that customers triage found CVEs upfront and filter out any items that have no obvious connection to OneAgent, ActiveGate, or Operator in their respective file paths.
Dynatrace assets are typically located in paths, such as /opt/dynatrace
, /var/lib/dynatrace
or /var/log/dynatrace
Check if there is a Dynatrace setting for the affected component, e.g. ActiveGate or Managed certificates are managed on your/customer side. See also: VA scan shows insecure cipher / certificate
Check if a newer version of Dynatrace OneAgent, ActiveGate, Operator, etc. is available. If yes, update and then repeat the scan process.
To check the status of individual CVEs, see if a statement available on https://cve-status.dynatrace.com
When reporting CVEs for scanned container images, it is important to provide an exact image identifier (where it was downloaded from), to indicate which version was scanned, and which scanner was used.
Note that latest
is not a valid version. It is a tag that always references the newest version and is reset whenever a new release is published.
Dynatrace Operator downloads OneAgent. CVE findings related to OneAgent are often falsely reported as impacting DT Operator. A good indicator to spot that findings are related to OneAgent is if the scanned image also includes an identifier, such as linux/oneagent
.
If Dynatrace Operator is used, you can refer to its Software Bill of Materials (SBOM) to obtain a list of all components included in the image. Only CVE findings that relate to one of the shipped components can potentially be handled by Dynatrace.
For other assets, you can find the components in the corresponding open source report file provided in our Trust Center.
This is great.
Please update to add CVE-2023-6597 which is not on the list. FYI........I did put in a ticket for this first. Feel free to email me and I can share ticket.