Security alerts

Dynatrace takes a proactive approach in communicating security vulnerability information to our customers. This page lists recent security vulnerabilities and the current status of their impact on Dynatrace. Refer to this page as new vulnerabilities are detected and become public knowledge. To report issues related to security vulnerabilities affecting Dynatrace, please contact Dynatrace Technical Support.

WannaCry ransomware attack

WannaCry ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it.

Impact: Dynatrace has been thoroughly tested and is not impacted by the recent WannaCry ransomeware global outbreak. Click here for more details.

Apache Tomcat vulnerability

Security vulnerabilities were reported for Apache Tomcat in versions between 8.5.0 and 8.5.12.

Impact: Some Data Center RUM 12.4.x components prior 12.4.13 are affected. See Data Center RUM Security Alerts for more information.

Apache Struts 2.x vulnerability

Apache has published a Security alert announcing a vulnerability in Apache Struts 2.x that could allow unauthenticated, remote code execution on the server.

Impact: No impact on Dynatrace.

Sweet32 vulnerability (Birthday attacks on 64-bit block ciphers)

Legacy block ciphers having a block size of 64 bits are vulnerable to a practical collision attack when used in CBC mode. All versions of the SSL/TLS protocols that support cipher suites which use 3DES as the symmetric encryption cipher are affected. The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a “Sweet32” attack.

Impact: Only Data Center RUM 12.4.10 and earlier may be affected. Release 12.4.12 comes with enhanced SSL configuration where only secure cipher suites are allowed and use of well known weak cipher suites was disabled, so installing SP12 will address this security vulnerability.

Solution: Disable use of 3DES cipher suites. See Securing AMD for details.

OpenSSL vulnerability (Hartbleed security bug)

Heartbleed is a security bug disclosed in April 2014 in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. Heartbleed may be exploited regardless of whether the party using a vulnerable OpenSSL instance for TLS is a server or a client.

The CVE ID for heartbleed is: CVE-2014-0160.

Impact: Older releases of Data Center RUM & AppMon were initially affected, but have been addressed.

Solution:

Shellshock vulnerability (Bash security bug)

Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.

The CVE ID ID for Shellshock is: CVE-2014-6278.

Impact: No impact on Dynatrace.

SSL 3.0 Protocol vulnerability (POODLE attack)

The POODLE (“Padding Oracle On Downgraded Legacy Encryption”) attack is a man-in-the-middle exploit which takes advantage of Internet and security software clients’ fallback to SSL 3.0. SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain clear text data via a padding-Oracle attack such as the POODLE issue.

Impact: Only older versions of Data Center RUM 12.2.x and earlier and AppMon 6.1 were affected.

Solution:

Network time protocol (NTP) vulnerability

The NTP (network time protocol) vulnerability is a security flaw in the standard implementation of the network time protocol (NTP) that can be exploited to compromise servers and devices that run UNIX-like operating systems.

This vulnerability has the CVE ID CVE-2014-9295.

Impact: Synthetic Monitoring is affected. See Security alert – NTP vulnerability for more information.

Public Last Mile auto-fill vulnerability

Impact: On May 7 2015 we were made aware of a vulnerability in the Dynatrace Synthetic Monitoring Last Mile network. The vulnerability allows a user running the Last Mile peer to collect form-values (Autofill values) entered by some Firefox tests. While our Last Mile peer software deletes all cached information before/after a test the vulnerability exposed a way of copying cached information during test execution for longer running tests.

Dynatrace deployed a solution to this vulnerability on the evening of Saturday May 9 2015 (CMR-779). The fix prevents the Last Mile browser from caching any form-values during test execution and disables all screen shot mechanisms in the Public Last Mile.

Solution: The recommendation for running transactions on the Public Last Mile network is to monitoring accounts with limited/appropriate access for any Synthetic test script. Also, use the encryption feature in the Recorder for any “FormFill” script actions that enter website UserID and password information.