FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Looking to upgrade from Dynatrace Managed to SaaS? See how

OpenSSL CVE-2023-5678

Suryanto_1
Helper

‎18 Mar 2024 06:45 AM

Tenable flag a medium vulnerability - https://www.tenable.com/cve/CVE-2023-5678


From Dynatrace official community post on CVE-2023-5678 was posted months back.

Quote: "Not affected. Vulnerable library is part of the base image"

Affected library: OpenSSL (1.0.2 - <1.0.2zj, 1.1.0-<1.1.1x, 3.0.0-<3.0.13, 3.1.0-<3.1.05)

https://community.dynatrace.com/t5/Heads-up-from-Dynatrace/Dynatrace-CVE-status-Common-Vulnerabiliti...


In recent Dynatrace Managed version 1.286. Dynatrace actually went to update the OpenSSL to 1.1.1w. One version below x.

What baffles us is as follows

1) Since this is to Dynatrace not affected. Why would they upgrade to 1.1.1w?

2) And why wouldnt they go straight to 1.1.1x instead of 1.1.1w


3) We even ask if we could remove the flagged file since we were told its part of the base image but were told there are dependecies.

Path - /usr/opt/dynatrace-managed/installer/bin/libssl.so.1.1
Path - /usr/opt/dynatrace-managed/installer/bin/libcrypto.so.1.1

Path - /usr/install/_DTTMP_20230418_092419/bin/libssl.so.1.1
Path - /usr/install/_DTTMP_20230418_092419/bin/libcrypto.so.1.1


Could anyone enlighten us based on your expereience with Dynatrace? Thanks!

 

 

0 Kudos
Reply
3 REPLIES 3

Julius_Loman
DynaMight Legend
DynaMight Legend

‎18 Mar 2024 07:35 AM

@Suryanto_1  you are looking at a different component in the list of CVEs.

For Managed it's further down in the list:

Julius_Loman_0-1710747308257.png

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner
Reply

Suryanto_1
Helper

‎18 Mar 2024 07:39 AM

 We even ask if we could remove the flagged file (below) as clealy the path are managed

However we were told its part of the base image and there are dependencies so its NOT recommended to remove!

Path - /usr/opt/dynatrace-managed/installer/bin/libssl.so.1.1
Path - /usr/opt/dynatrace-managed/installer/bin/libcrypto.so.1.1

Path - /usr/install/_DTTMP_20230418_092419/bin/libssl.so.1.1
Path - /usr/install/_DTTMP_20230418_092419/bin/libcrypto.so.1.1

0 Kudos
Reply

Julius_Loman
DynaMight Legend
DynaMight Legend
In response to Suryanto_1

‎18 Mar 2024 08:11 AM

No, you shall not remove those files.

As stated above - Managed is not affected as it is not using the vulnerable code in this CVE.  If you are still in doubt, reach out to Dynatrace as described here: 
https://docs.dynatrace.com/managed/shortlink/who-to-contact-security

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner
Reply
Ask a question

Featured Posts