• Home
  • How to use Dynatrace
  • Application Security
  • Vulnerability Analytics
  • Manage third-party vulnerabilities

Manage third-party vulnerabilities

After you enable and configure the Application Security and OneAgent features, Dynatrace starts monitoring your applications to detect vulnerabilities in third-party libraries.

  • A spinning radar screen in the upper-right corner of the Third-party vulnerabilities page indicates that your environment is being monitored. If the radar stops, you are warned that Monitoring stopped. Please check settings. Follow the associated link to enable Vulnerability Analytics.

    spinning-radar

  • The security problem indicator on the Dynatrace top bar displays the number of critical or high vulnerabilities in your environment. Select it to navigate to the Third-party vulnerabilities page.

    security-problem-indicator

Third-party vulnerabilities list

To see a list of all detected third-party vulnerabilities in your environment, in the Dynatrace menu, go to Third-party vulnerabilities. The following information is displayed.

General overview of the key features

key-feat-tpv

Note: The numeric values displayed are management-zone aware.

  • The number of open vulnerabilities (and the muted ones). Select it to display the vulnerabilities filtered by Status: Open.
  • The number of critical and high vulnerabilities. Select it to display the open vulnerabilities filtered by Risk level: Critical or Risk level: High.
  • The number of monitored technologies out of the total number of supported technologies. Select Monitored technologies to view and edit your settings.
  • A visual representation of each technology. Select a logo to display the vulnerabilities list filtered by the respective technology.

Davis Security Advisor

dsa-tpv

The Davis Security Advisor recommends the fixes that would most improve the overall security of your environment. For details, see Davis Security Advisor calculations.

Vulnerabilities detected

vuln-detected-tpv

A list of all detected third-party vulnerabilities in your environment. For optimized performance, a maximum of 500 vulnerabilities are displayed at a time. You can narrow down the results by applying filters. To sort the list by any item, select the corresponding column heading. To add or remove column headings, select Format table.

Vulnerability

  • The Dynatrace vulnerability ID (example: S-3440)

  • Depending on the vulnerability feed:

    • For SNYK vulnerabilities, the SNYK name (example: Denial of Service (DoS))
    • For NVD vulnerabilities, the CVE ID (example: CVE-2020-2805), or the CWE name, if available (example: Deserialization of Untrusted Data)

    For more information, see Terminology: Third-party vulnerability.

  • The vulnerable component (the software or runtime package causing a vulnerability):

    • For SNYK vulnerabilities, the package name (example: org.apache.tomcat:tomcat-coyote)
    • For NVD vulnerabilities, the runtime technology (examples: Java runtime, Node.js runtime)

Davis Security Score

  • The risk level (Critical, High, Medium, Low, None) of the vulnerability, based on the Common Vulnerability Scoring System (CVSS) score of the vulnerability and AI-enhanced to take public internet exposure and reachable data assets into consideration. If a vulnerability has been resolved, the symbol color is green.

  • The overall risk assessment (the final score).

  • If there is any public exposure (the vulnerability affects a process that is exposed to the internet, based on the Dynatrace entity model (Smartscape)). If the symbol is grayed out and crossed out, there's no public exposure. If the symbol isn't present, there's no data available.

  • If there are any reachable data assets (the vulnerability affects a process that has database access, based on the Dynatrace entity model). If the symbol is grayed out and crossed out, there are no reachable data assets affected. If the symbol isn't present, there's no data available.

  • If there is any vulnerable function in use by a process. If the symbol is grayed out and crossed out, there's no vulnerable function in use. If the symbol isn't present, there's no data available.

  • If there is any public exploit (a known malicious code that exploits this vulnerability). If the symbol is grayed out and crossed out, there's no public exploit. If the symbol isn't present, there's no data available.

Status

  • Open: The vulnerability is active.

  • Resolved: The vulnerability has been closed automatically because the root cause (for example, loading a vulnerable library) is no longer present. For more information, see Terminology: Resolved vulnerabilities.

  • Muted - Open: The vulnerability is active but has been silenced by request.

  • Muted - Resolved: The silenced active vulnerability has been closed automatically because the root cause (for example, loading a vulnerable library) is no longer present.

    Note: A muted vulnerability that has been closed automatically doesn't change its status to Resolved, but to Muted - Resolved.

Affected entities

The entities (applications, services, hosts, databases, Kubernetes workloads, or Kubernetes clusters) that are affected by the identified third-party vulnerability.

Note: The affected entities are globally calculated. Management zone filtering doesn't apply.

Technology

The technology of the process affected by the vulnerability.

First detected

When Dynatrace first detected the third-party vulnerability.

Last update

When the most recent update (for example, a new risk assessment or a new software component with the same vulnerability) was detected.

Details

Expand vulnerability rows for details, or to perform the following actions:

  • Select Change status to mute, unmute, or mute again a vulnerability with a different reason or comment.
  • Select View process group overview to navigate to the overview page of the process groups related to a vulnerability.
  • Select View vulnerability details to navigate to the details page of a vulnerability.

Third-party vulnerability details

To see details about a third-party vulnerability, select a vulnerability on the Third-party vulnerabilities page. The following information is displayed.

Vulnerability title

Example title:

title-tpv-details

  • The SNYK name (example: Deserialization of Untrusted Data)
  • The type of vulnerability based on the vulnerable component (third-party vulnerability for software components, runtime vulnerability for runtime components)
  • The SNYK ID (example: SNYK-JAVA-COMFASTERXMLJACKSONCORE-608664)
  • When the vulnerability appeared

Shortcut to main topics

shortcut-vuln-evolution

Expand the button next to Settings on the upper-left side of the vulnerability details page to select one of the topics below.

  • Vulnerability details
  • Related entities
  • Vulnerability evolution
  • Vulnerable components

Select Settings to navigate to the Application Security general settings.

Infographic of the key features

infographic-tpv-details

Select any of these features to jump to the corresponding section on the page.

  • Risk level: Davis Security Score risk level (Critical, High, Medium, Low, None).

  • Public internet exposure: If there's any public internet exposure. Possible states are:

    • Public network: There is public internet exposure.
    • Not detected: No internet exposure was found.
    • Not available: Data isn't available, because the related hosts are running in infrastructure-only mode. For details, see Monitoring modes.

  • Reachable data assets: If there are any reachable data assets affected. Possible states are:

    • Within range: There are reachable data assets affected.
    • Not detected: No reachable data assets were found.
    • Not available: Data isn't available, because the related hosts are running in infrastructure-only mode. For details, see Monitoring modes.

  • Vulnerable functions: If there are any vulnerable functions in use. Possible states are:

    • In use: There are vulnerable functions in use.
    • Not detected: No vulnerable functions in use were found.
    • Not available: Data isn't available, because the related hosts are running in infrastructure-only mode. For details, see Monitoring modes.

  • Exploit: If there's any malicious code that exploits the third-party vulnerability. Possible states are:

    • Exploit published: A publicly-known exploit for this vulnerability is available.
    • No exploit published: No publicly-known exploit for this vulnerability is available.

  • Process groups: How many process groups are affected

  • Vulnerable component: The name of the vulnerable component

If you want to change the status of a vulnerability, select Change status in the upper-right corner of the page.

Vulnerability details

vuln-details-snyk-feed

  • The name and description of the affected package (example: com.fasterxml.jackson.core:jackson-databind), the associated technology (example: Java), and links to the SNYK, CVE/CWE/OWASP IDs for further information.

  • Vulnerable functions:1 The exact classes (example: com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator) and functions (example: validateSubType) causing the vulnerability, and the affected process groups based on the function usage. The function usage shows whether the vulnerable function is being used by your application. This can help you assess the impact on your environment.

    • In use: Shows how many of the related process groups are affected by the vulnerability (use at least one vulnerable function). Select the number of affected process groups to navigate to remediation tracking.
    • Not in use: Shows how many related process groups don't use any vulnerable function.
    • Not available: Shows for how many related process groups the vulnerable function usage could not be determined, for example if there's no information available in the vulnerability database about vulnerable functions for a given vulnerability, or if related hosts are running in infrastructure-only mode.

    Note: The information is based on management zones, not on the timeframe.

1

This section is not displayed for runtime vulnerabilities, or if no vulnerable functions were found.

Davis Security Score

DSS-tpv-details

A detailed view of how the Davis Security Score for the opened vulnerability is calculated: starting from the CVSS from SNYK, Davis checks whether there is public internet exposure or reachable data affected and, if so, to what extent. The score is then adjusted as applicable based on the Davis AI calculations.

Reachable data assets

reachable-assets-tpv-details

The last five database services accessed by affected processes containing the identified vulnerability, based on the last hour. Select View all to navigate to Databases. For information on how to monitor your database performance, see Databases.

Vulnerability evolution

vuln-evolution-tpv-details

The last five vulnerability status changes (for example, when the vulnerability is first resolved and then reopened) over the last 30 days, and details about the changes. Select Show more to see the next five changes.

Related entities

related-entities-tpv-details

The number of entities (applications, services, hosts, databases, Kubernetes workloads, or Kubernetes clusters) that are related to the identified vulnerability, based on the last hour, with links to the details page of the related entities.

Note: The related entities displayed may be impacted by

  • Security-monitoring rules
  • Management zones
  • Timeframe

For more information, see Terminology: Related vs. affected entities.

Note: The Kubernetes workloads and Kubernetes clusters sections are displayed only if Kubernetes workloads or clusters are detected.

Vulnerable components

vulnerable-components-tpv-details

The name and description of the libraries that are affected by the identified vulnerability, and the number of affected processes, based on the last hour.

Related container image

related-container-image-tpv-details

The top five related container images (image name and ID), based on the last hour, sorted by the number of affected processes.

Note: This information is displayed only if containers are detected.

Process group overview

pg-overview-tpv-details

Displays the following information, based on the last hour:

Process groups

  • Process groups in total: The total number of process groups that are related (affected, resolved, and muted) to the identified vulnerability. It links to the overview page of the related process groups.

  • Affected process groups: The number of affected process groups and the percentage of affected process groups out of the total number of related process groups. It links to the overview page of related process groups filtered by Status: Affected.

    Notes:

    • An affected process group is a process group that contains a vulnerable library or runtime.

    • The affected process groups are globally calculated. Management zone filtering doesn't apply.

    • The number of affected process groups matches the total count only if all functions in all used software component versions are vulnerable.

      Example

      A software component A is vulnerable to a vulnerability X in versions 1 and 2.

      The function f1 is only vulnerable in version 1.

      There are two process groups:

      • Process group PG1 uses the software component A.1, which includes the vulnerable function f1.
      • Process group PG2 uses the software component A.2, which doesn't include any vulnerable function.

      The Process groups overview section on the details page of a vulnerability will show the vulnerable function f1 with one process group (PG1) In use and Not in use. PG2 is not considered because there is no vulnerable function in version 2.

  • Resolved process groups: The number of affected process groups that have been resolved and the percentage of resolved process groups out of the total number of related process groups. It links to the overview page of related process groups filtered by Status: Resolved.

  • Muted process groups: The number of affected process groups that have been muted and the percentage of muted process groups out of the total number of related process groups. It links to the overview page of related process groups filtered by Status: Muted.

  • A graph displaying the affected, resolved, and muted process groups, marked with different colors.

Processes

  • Processes total: The total number of processes (affected and unaffected) out of the process groups where at least one process is affected.

  • Affected processes: The number of affected processes.

    Note: An affected process is a process that contains a vulnerable library or runtime. It can be exposed to the public internet or not.

  • Exposed: The number of affected processes that are exposed to the public internet and the percentage of exposed processes out of the total number of affected processes.

Most affected process groups

Lists and links to the top five process groups, sorted by status (Affected, then Resolved, and then Muted) and amount of affected processes out of the total processes in the respective process group, and indicates if there is any public exposure, or if there are any reachable data assets. Select View all process groups to navigate to the overview page of the process groups related to a vulnerability.