Log4j vulnerability (Log4Shell)

Update from Jan 18, 2022:

Updates for Dynatrace Managed that fix CVE-2021-44832 in addition to CVE-2021-45105, CVE-2021-44228 and CVE-2021-45046 by updating the Log4j library used by Elasticsearch to 2.17.1 are available. Please see details below.

Update from Jan 14, 2022:

Updates to Dynatrace SaaS that fix CVE-2021-44832 in addition to CVE-2021-45105, CVE-2021-44228 and CVE-2021-45046 were applied.

Updates for Dynatrace Synthetic locations that fix CVE-2021-44832 in addition to CVE-2021-45105, CVE-2021-44228 and CVE-2021-45046 are available. Please see details below.

All affected Dynatrace extensions have been updated to fix CVE-2021-44832, CVE-2021-45105, CVE-2021-44228 and CVE-2021-45046. See details below.

An update to Dynatrace Managed which updates the log4j library used by Elasticsearch to 2.17.1 is currently in development and scheduled to be released within the next days.

Update from Dec 29, 2021:

Dynatrace is aware of the latest Log4j related vulnerability CVE-2021-44832 with CVSS 6.6 (Medium).

Based on the results of our investigations, this vulnerability has a high complexity in order to be successfully exploited and there has not been any indicator of compromise.

Nevertheless, we are working on the appropriate measures for our services which will include upgrading to the fixed version of Log4j.

Update from Dec 23, 2021:

The latest updates of all Dynatrace components and the versions listed below include fixes for CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105.

Updates for Dynatrace Synthetic locations that fix CVE-2021-45105 in addition to CVE-2021-44228 and CVE-2021-45046 are available. Please see details below.

Updates for Dynatrace FedRAMP that fix CVE-2021-45105 in addition to CVE-2021-44228 and CVE-2021-45046 were applied.

Update from Dec 21, 2021:

Updates to Dynatrace SaaS which fix CVE-2021-45105 in addition to CVE-2021-44228 and CVE-2021-45046 were applied.

Dynatrace Managed is not affected by CVE-2021-45105. The logging configuration uses the default pattern layout. The denial of service (DOS) attack described in CVE-2021-45105 can only be exploited if a non-default logging configuration is used (reference), which is not the case in Dynatrace Managed installations.

All affected Dynatrace extensions have been updated to fix CVE-2021-45105 in addition to CVE-2021-44228 and CVE-2021-45046. See details below.

Updates for Dynatrace Synthetic locations that fix CVE-2021-45105 are in progress.

Updates for Dynatrace FedRAMP that fix CVE-2021-45105 are in progress.

Update from Dec 20, 2021:

[Update from 17:00 UTC]

Dynatrace is aware of the third Log4j related vulnerability CVE-2021-45105 and is currently assessing the impact and is applying updates.

[Update from 8:00 UTC]

Updates to Dynatrace FedRAMP which fix both CVE-2021-44228 and CVE-2021-45046 were applied.

The latest updates of all Dynatrace components and the versions listed below include fixes for both CVE-2021-44228 and CVE-2021-45046.

Update from Dec 17, 2021:

[Update from 13:30 UTC]

The CVE-2021-45046 has been re-rated from CVSS 3.7 (Low) to CVSS 9.0 (Critical). All Dynatrace components listed below which include the fix for CVE-2021-45046 are still not susceptible to CVE-2021-45046.

[Update from 10:00 UTC]

Updates for Dynatrace Managed are available that fix both CVE-2021-44228 and CVE-2021-45046. Please see details below.

Please note that the Dynatrace Managed versions listed below still include the vulnerable Log4j library file (/opt/dynatrace-managed/elasticsearch/lib/log4j-core-2.11.1.jar) due to the usage of Elasticsearch. Dynatrace has applied the recommended mitigation measures of removing the org/apache/logging/log4j/core/lookup/JndiLookup.class from the Log4j library. This fully mitigates CVE-2021-44228 and CVE-2021-45046.

An upgrade of Elasticsearch which uses an updated Log4j library is planned.

Update from Dec 16, 2021:

Updated Private Synthetic locations (Synthetic-enabled ActiveGates) that fix both CVE-2021-44228 and CVE-2021-45046 are available. Please see details below.

Updates to Dynatrace SaaS which fix both CVE-2021-44228 and CVE-2021-45046 were applied.

Update from Dec 15, 2021:

A new CVE with low severity (CVSS 3.7) for the Log4j library was published (CVE-2021-45046) on December 14, 2021. Dynatrace is currently in the process of applying further updates to its software components to address this vulnerability. Please note, that this particular vulnerability is currently considered to have no impact on the integrity or confidentiality of customer data.

Summary

The Dynatrace team has been actively reviewing the recently published Log4j vulnerability CVE-2021-44228 (‘Log4Shell’) (NVD).

Dynatrace currently considers the risk of this vulnerability to the Dynatrace offering to be low, as a result of how Dynatrace uses Log4j, and the layered security in the Dynatrace offering. Dynatrace has updated the offering with recommended fixes and mitigations, and is continuing to consider further recommended fixes and mitigations. The majority of the current fixes and mitigations have been automatically applied to all customers. For customers that do not accept automatic updates, we are actively encouraging those customers to apply the available updates.

Dynatrace is also actively working with our vendors to rapidly assess and mitigate any risk associated with this vulnerability.

To date, Dynatrace has seen no evidence that this vulnerability has been exploited within any internal systems. Dynatrace Application Security continuously validates that any occurrence of the vulnerable Log4j library is immediately detected and remediated on all production nodes.

We will continue to assess the situation and provide further status updates on this page.

Status of impact and updates for Dynatrace products

Dynatrace SaaS

Fully updated* to mitigate CVE-2021-44832, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105

Dynatrace FedRAMP

Fully updated* to mitigate CVE-2021-44228, CVE-2021-45046

Dynatrace Managed

Fully updated*** to mitigate CVE-2021-44832, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 by updating the Log4j library used by Elasticsearch to 2.17.1.

Updated*** versions that mitigate CVE-2021-44832, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105

  • All versions >= 1.230.148
  • 1.230.148.20220113-162755
  • 1.228.136.20220113-162730
  • 1.226.132.20220113-162737
  • 1.224.103.20220117-113753

The Log4j library used in the Elasticsearch client library (esshadow-7.10.0-x.jar), which was not affected by any of the Log4j CVEs, was also updated to 2.17.1 in Dynatrace Managed versions >= 1.230.148.

Dynatrace Synthetic:

Public Synthetic locations

Fully updated*** to mitigate CVE-2021-44832, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105

Private Synthetic locations (Synthetic-enabled ActiveGate)

Dynatrace Private Synthetic locations are not affected by CVE-2021-45105. The denial of service (DoS) attack described in CVE-2021-45105 can only be exploited if a non-default logging configuration is applied and Log4j context lookups are used for resolving any sources external to the application. Dynatrace Private Synthetic locations do not use context lookups for resolving any sources external to the application.

Updated*** versions that mitigate CVE-2021-44832, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105

The versions listed below are available for SaaS customers. They are also available for Managed customers and can be requested by reaching out using in-product assistance from within the Dynatrace environment, or by opening a Ticket in the Support-Portal. Please note that Dynatrace Private Synthetic locations are not affected by CVE-2021-45105 as described above. This update patches the Log4j library to version 2.17.1 to eliminate the finding from vulnerability scans.

  • All versions >= 1.231.45
  • 1.231.45.20220111-140719
  • 1.229.54.20220112-200453
  • 1.227.34.20220112-200443
  • 1.225.32.20220112-200623
  • 1.223.35.20220112-200701

Updated*** versions that mitigate CVE-2021-44228, CVE-2021-45046

The versions listed below are available for SaaS and Managed customers.

  • All versions >= 1.229.51
  • 1.229.51.20211215-102541
  • 1.227.32.20211215-101359
  • 1.225.30.20211215-102023
  • 1.223.33.20211215-142023

Mitigation for older versions:

A mitigation guideline for customers that can not upgrade to the versions listed above is available by reaching out using in-product assistance from within the Dynatrace environment, or by opening a Ticket in the Support-Portal

Dynatrace OneAgent

Not affected

Dynatrace ActiveGate

Not affected in default configuration.

Affected only if Dynatrace Private Synthetic locations are being used (see above).

Dynatrace Extensions

Updated*** versions that mitigate CVE-2021-44832, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105

  • Custom database query ActiveGate Extension
    • Affected versions: 3.0 – 3.0.7
    • Updated versions: >=3.0.8
  • Salesforce event stream ActiveGate Extension
    • Affected versions: 1.0 – 1.024
    • Updated versions: >=1.025
  • WebMethods Universal Messaging OA Extension
    • Affected versions: 1.0 – 1.006
    • Updated versions: >=1.007
  • IBM MQ ActiveGate Extension
    • Affected versions: 2.020.3 – 2.020.10
    • Updated versions: >=2.020.11


Legend

* … The vulnerable Log4j library was upgraded and the mitigation recommendations were implemented
** … Mitigation recommendations were implemented
*** … The vulnerable Log4j library was upgraded

Next steps

If you have any further questions, please reach out to Dynatrace using in-product assistance from within the Dynatrace environment, or by opening a Ticket in the Support-Portal

Read our blog to learn best practices for identifying Log4Shell and minimizing risk in your environment: Log4Shell vulnerability: Identifying and minimizing production risk

Notice

This document is provided on an “as is” basis, with no express or implied warranties. Some of the information provided may come from third parties. Your use of the information in the document or materials linked from the document is at your own risk. Dynatrace reserves the right to change or update this document without notice at any time. Dynatrace expects to update this document as new information becomes available.

Get article updates or report security vulnerabilities


Dynatrace takes a proactive approach in communicating security vulnerability information to customers. Learn more about Dynatrace security and our security policy. To report a security issue, email security@dynatrace.com.

RSS feed Report issue