DC RUM and NAM security alerts

This is a summary of certain security alerts and a statement of whether (and how) they could affect Dynatrace DC RUM/NAM components.

  • Follow the links for details
  • The page will be updated as changes are made to patch our systems as well when new vulnerabilities are detected and become public knowledge.
Vulnerability Affected? Info
Oracle Java SE CVE-2017-10111 CVE-2017-10110 CVE-2017-10107 CVE-2017-10102 CVE-2017-10101 CVE-2017-10096 CVE-2017-10090 CVE-2017-10089 CVE-2017-10087 CVE-2017-10086 and more... Yes

Oracle critical patch update advisory - July 2017

Java 8 Run-Time Environment (JRE) - a 3rd party Oracle component - that is embedded in NAM components (CAS, ADS, RUM Console, CSS) is exposed to multiple security vulnerabilities. Oracle issued Critical Patch Update Advisory - July 2017 that contains 32 new security fixes across multiple Java SE products and sub-products. Affected Oracle JRE versions are: Java 6 update 151, Java 7 update 141 and Java 8 update 131 - this version is used in DC RUM 12.4 and 2017. Oracle released new Java 8 update update 141 to resolve these issues. See Supported Java builds
  • 12.04.14 (Release 12.4 Service Pack 14) released in August 2017 contains Java 8 update 144
  • 17.00.02 (Release 2017 Service Pack 2) - release planned for September/October 2017 will include Java 8 update 144 (or newer)
Java on AMD AMD uses Oracle JAVA 1.8 installed from RHEL repositories and there is no embedded JAVA build in AMD code, therefore to update JAVA 1.8 on AMD use yum update java command to obtain the latest available JAVA 1.8 build from RedHat. Refer to RHSA-2017:1789 for details.
Stack Guard aka Stack Clash No Red Hat Product Security has been made aware of a vulnerability affecting Linux systems that allows for privilege escalation. This class of flaws focuses on the method of memory allocation of the stack for user space binaries. These vulnerabilities have been assigned CVE-2017-1000364 (kernel), CVE-2017-1000366 (glibc), CVE-2017-1000367 (sudo) and have been rated as Importantby the Red Hat Product Security Team. Note: Due to different possible avenues of exploit, customers must apply both sets of patches (kernel and glibc) and reboot the system to remediate this issue. The new RHEL OS kernels issued by RedHat to address this security flaw:
  • kernel-3.10.0-514.21.2.el7.x86_64 on RHEL 7 and
  • kernel-2.6.32-696.3.2.el6.x86_64 on RHEL 6
were QA tested by Dynatrace and certified for use with:
  • AMD release 12.4.13
  • AMD May 2017 release (17.00.00)
Important Customers running older 12.4.x AMD versions are required to perform AMD software upgrade to release 12.4.13 prior upgrading RHEL OS kernel. Failure to do so may result in custom driver compilation errors after reboot with the new kernel.
External References
WannaCry No While Dynatrace software is not directly affected, nor vulnerable, customers are strongly encouraged to perform their own assessment to the vulnerability of their environments wherever Dynatrace software is installed and take appropriate corrective actions. More information about this attack and ways you can protect yourself from it can be found at Microsoft’s TechNet blog. To download the necessary security patches, go to Microsoft Security Bulletin MS17-010
Oracle Java SE CVE-2017-3512 CVE-2017-3514 CVE-2017-3511 CVE-2017-3526 CVE-2017-3509 CVE-2017-3533 CVE-2017-3544 CVE-2017-3539 Yes JRE and JDK are exposed to multiple vulnerabilities that affect various components. Oracle's Java Critical Patch Update for April 2017 contains 8 new security fixes across multiple Java SE products and sub-products. Affected Java versions are: Oracle Java JDK and JRE, versions 6u141 and earlier, 7u131 and earlier, 8u121 and earlier. The vendor released updates (Java SE JDK and JRE 8 Update 131, Java SE JDK and JRE 7 Update 141, Java SE JDK and JRE 6 Update 151) to resolve these issues. DC RUM 12.4.x releases use JAVA 1.8, therefore update to JRE 8 update 131 (or later) is required. AMD impact AMD uses Oracle JAVA 1.8 installed from RHEL repositories and there is no embedded JAVA build in AMD code, therefore to update JAVA 1.8 on AMD use yum update java command to obtain the latest available JAVA 1.8 build from RedHat. CAS, ADS, and RUM Console The server components use embedded JAVA run time environment (JRE). Releases prior 12.4.13 are impacted as they included affected JAVA builds. Refer to Supported Java builds for detailed build numbers. Solution: Release 12.4.13 contains secure JRE 1.8u131 build therefore you need to upgrade your existing version 12.4.x to release 12.4.13.
Apache Tomcat CVE-2017-5648 CVE-2017-5650 CVE-2017-5650 Yes Security vulnerabilities were reported for Apache Tomcat in versions between 8.5.0 and 8.5.12. Some DC RUM 12.4.x components prior 12.4.13 are affected. AMD uses native Tomcat in RHEL OS.

CVE-2017-5648

AMD
  • Tomcat on RHEL 6 is not impacted by this vulnerability
  • Tomcat on RHEL 7 is impacted and requires update to version 7.0.76 or newer. Solution: yum update tomcat
CAS and ADS
  • Releases 12.4.X prior 12.4.13 use Apache Tomcat 8.5.8 and therefore are affected. Solution: Upgrade to 12.4.13 that comes with updated Apache Tomcat version 8.5.14
  • May 2017 release (coming) is not impacted as it contains Apache Tomcat version 8.5.14 already.
Console
  • N/A - This component does not use Apache Tomcat

CVE-2017-5650

AMD CAS and ADS
  • Releases 12.4.X prior 12.4.13 use Apache Tomcat 8.5.8 and therefore are affected. Solution: Upgrade to 12.4.13 that comes with updated Apache Tomcat version 8.5.14
  • May 2017 release (coming) is not impacted as it contains Apache Tomcat version 8.5.14 already.
Console N/A - This component does not use Apache Tomcat

CVE-2017-5650

AMD CAS and ADS
  • Releases 12.4.X prior 12.4.13 use Apache Tomcat 8.5.8 and therefore are affected. Solution: Upgrade to 12.4.13 that comes with updated Apache Tomcat version 8.5.14
  • May 2017 release (coming) is not impacted as it contains Apache Tomcat version 8.5.14 already.
Console N/A - This component does not use Apache Tomcat
Apache Struts 2.x No Apache has published a security bulletin announcing a vulnerability in Apache Struts 2.x that could allow unauthenticated, remote code execution on the server. Apache Struts is not used in any NAM component, including Enterprise Synthetic and Dynatrace Network Analyzer.
Sweet32 Yes SSL 64-bit Block Size Cipher Suites Supported aka SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32). The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. Impact: Old versions of NAM (12.4.10 and earlier) may be affected. Release 12.4.12 comes with enhanced SSL configuration where only secure cipher suites are allowed and use of well known weak cipher suites was disabled, so installing SP12 will address this security vulnerability. Solution : Disable use of 3DES cipher suites. See securing AMD for details.
Heartbleed No Heartbleed is a security bug disclosed in April 2014 in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. Heartbleed may be exploited regardless of whether the party using a vulnerable OpenSSL instance for TLS is a server or a client. The offical id for heartbleed is: CVE-2014-0160. This vulnerability was addressed in the 12.2.1, 12.3.0 releases, older releases can be patched. For more information, see OpenSSL Vulnerability also known as Heartbleed Bug.
Shellshock No Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system. The offical id for Shellshock is: CVE-2014-6271. No NAM Component is directly affected by this vulnerability as:
  • The CAS, ADS, and RUM Console are Windows-based components and thus are not affected by this vulnerability.
  • The AMD component supports the Red Hat Enterprise Linux operating system, but AMD software does not utilize the Bash shell in its services however it is still strongly suggested, and a good practice, to patch your version of RHEL OS against the Shellshock bug. See RHEL technical alert CVE-2014-6271 for details.
Poodle Yes The POODLE ("Padding Oracle On Downgraded Legacy Encryption") attack is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain clear text data via a padding-Oracle attack such as the POODLE issue. Several components of certain NAM releases may be affected. Releases 12.3 and 12.4 are not affected (use of SSLv3 was disabled). Old versions of NAM - 12.2.x and earlier - may be affected. Solution : The appropriate solution is to disable use of SSLv3 and use more secure TLS protocol. See POODLE vulnerability in SSLv3 for details.