on 17 Apr 2024 04:11 PM - edited on 17 Apr 2024 04:12 PM by HannahM
Some customers have detected exposure to the "LUCKY13 Vulnerability attack" in their VA scans for our Managed component.
Also known as CVE-2013-0169, this vulnerability has been analyzed and fixed.
We are not affected, there is no risk that the “Lucky13” can be exploited on our systems.
Issue | Solution | Tasks | Alternative(s) |
LUCKY13 Vulnerability attack | We are not affected. | Check below information and explain it to your Security Team |
The implementations used by Dynatrace are all up to date and contain the corresponding patches. Please submit a Support ticket if you have additional questions or concerns. |
The use of cipher suites for TLS that operate in CBC mode can be considered an issue if the underlying implementation is not protected against this kind of attack.
The “Lucky13” timing attack was found in 2013 and, as also stated in NVD - CVE-2013-0169, has since been mitigated in several libraries like: OpenSSL, PolarSSL, Mozilla NSS, gnuTLS, BouncyCastle, and basically all other industry-relevant libraries used for cryptographic purposes.