Dynatrace, Inc.

DT

US2681501092

IT Services & Consulting

Market Closed - Nyse Other stock markets 04:00:03 2024-04-23 pm EDT			5-day change	1st Jan Change
46.25 ^USD	+1.56%		+3.89%	-15.43%

Apr. 09	Dynatrace Expands Go-To-Market Partnership with Google Cloud	CI
Apr. 02	North American Morning Briefing : Stocks Seen -2-	DJ

Dynatrace : What is Spring4Shell? Detect and mitigate new zero-day vulnerabilities in the Java Spring Framework

April 31, 2022 at 06:30 pm EDT

This article was co-authored with Robin Wyss.

CVE recently published three new critical vulnerabilities in the Java Spring Framework, including one called Spring4Shell.

Many applications are potentially affected, as Spring dominates the Java ecosystem, with 60% of developers using it in their main Java applications.

In what follows, we provide clarity on recently published vulnerabilities in the Spring Framework and a short how-to guide to help you identify if your organization is affected.

What is Spring4Shell?

Spring4Shell is a critical vulnerability in the Java Spring framework and one out of three published on March 30:

Spring Core RCE (critical): CVE-2022-22965 a.k.a. Spring4Shell
Affected library: org.springframework:spring-bean
Information Exposure in Spring Cloud Function: CVE-2022-22963
Affected library: org.springframework.cloud:spring-cloud-function-context
Denial of Service in Spring Expressions: CVE-2022-22950
Affected library: org.springframework:spring-expression

Spring4Shell is severe as it can be exploited for remote code execution. There are already proof-of-concept exploits available publicly. Spring has already published a fix in Spring Framework 5.3.18 or 5.2.20.

There are several methods and tooling available to identify if an application is affected. We explore two options below:

Using Dynatrace Application Security
Using the Apache Maven Dependency plugin

Dynatrace Application Security detects the affected components automatically

For customers using Dynatrace Application Security, Dynatrace detects all three vulnerabilities automatically and in all locations across highly distributed hybrid, multicloud environments.

If you have security notifications set up, Dynatrace automatically sends a notification with the relevant details for each vulnerability upon discovery.

You can also find the vulnerabilities in Dynatrace in two additional ways:

Sorting the vulnerability list by first seen
Finding the vulnerabilities using the CVE or SNYK ID:
- Spring Core RCE: search for CVE-2022-22965 or SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751
- Information Exposure in Spring Cloud Function: search for CVE-2022-22963 or SNYK-JAVA-ORGSPRINGFRAMEWORKCLOUD-2436645
- Denial of Service in Spring Expressions: search for CVE-2022-22950 or SNYK-JAVA-ORGSPRINGFRAMEWORK-2434828

Dynatrace detects the Spring4Shell vulnerability in the Java Spring Framework

In this example, we can see how Dynatrace discovered CVE-2022-22965 and CVE-2022-22963.

Use the Apache Maven Dependency plugin to detect affected components manually

Another option is to use the Apache Maven Dependency plugin to identify whether your projects use affected libraries. Navigate to the directory of your maven project and run the following three commands to find out if your application is impacted:

Spring Core RCE

mvn dependency:tree -Dincludes=org.springframework:spring-beans

Maven finds vulnerable spring-beans version 5.3.13

Here we can see that the application uses spring-beans version 5.3.13 and is therefore affected.

Information Exposure in Spring Cloud Function

mvn dependency:tree -Dincludes=org.springframework.cloud:spring-cloud-function-context

Maven finds information exposure in Spring Cloud Function

Here we can see that the application uses spring-cloud-function-context version 3.2.2 and is therefore affected.

Denial of Service in Spring Expressions

mvn dependency:tree -Dincludes=org.springframework:spring-expression

Maven finds denial of service in Spring Expressions

Here we can see that the application uses spring-expression version 5.3.16 and is therefore affected.

How to mitigate risk

Here is how to mitigate risk for the Spring4Shell vulnerabilities.

Spring Core RCE is resolved in versions 5.2.20 and 5.3.18 or higher.
Information Exposure in Spring Cloud Function is resolved in versions 3.1.7 and 3.2.3 or higher.
Denial of Service in Spring Expressions is resolved in version 5.3.17 or higher.

See the blog post Spring Framework RCE, Early Announcement for further details.

How to get Dynatrace Application Security

If you are a Dynatrace customer and want to start using the Application Security module for automatic runtime vulnerability analysis, go to the Dynatrace web UI and select Vulnerabilities in the menu.

If you're not using Dynatrace yet, it's easy to get started in under five minutes with the Dynatrace free trial and contact us for how you can enable Dyantrace Application Security.

Attachments

Original Link
Original Document
Permalink

Disclaimer

Dynatrace Inc. published this content on 31 March 2022 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 31 March 2022 22:27:11 UTC.

Latest news about Dynatrace, Inc.

Dynatrace Expands Go-To-Market Partnership with Google Cloud	Apr. 09	CI
North American Morning Briefing : Stocks Seen -2-	Apr. 02	DJ
JPMorgan Cuts Price Target on Dynatrace to $60 From $65, Keeps Overweight Rating	Apr. 01	MT
Needham Downgrades Dynatrace to Hold From Buy	Apr. 01	MT
Barclays Adjusts Dynatrace's Price Target to $52 From $59, Maintains Equalweight Rating	Mar. 20	MT
Wolfe Research Starts Dynatrace With Outperform Rating, $60 Price Target	Mar. 18	MT
Dynatrace Insider Sold Shares Worth $562,645, According to a Recent SEC Filing	Mar. 08	MT
Transcript : Dynatrace, Inc. Presents at Morgan Stanley?s Technology, Media & Telecom Conference 2024, Mar-05-2024 12:35 PM	Mar. 05
Dynatrace, Inc. Announces Resignation of Seth Boro from the Board	Feb. 23	CI
Dynatrace Insider Sold Shares Worth $346,974, According to a Recent SEC Filing	Feb. 15	MT
Dynatrace Positioned for Long-Term Share Gain in Observability Market, Morgan Stanley Says	Feb. 13	MT
BMO Scales Digital Banking Capabilities for Customers Worldwide with Dynatrace	Feb. 13	CI
Morgan Stanley Initiates Dynatrace at Equalweight With $60 Price Target, Sees Long-Term Opportunity But Notes 'Patience Needed'	Feb. 13	MT
Sector Update: Tech Stocks Higher Late Afternoon	Feb. 08	MT
Sector Update: Tech Stocks Gain Thursday Afternoon	Feb. 08	MT
Dynatrace Drops After Cutting Annual Recurring Revenue Growth Outlook	Feb. 08	MT
Stocks in motion: AI-related stocks soar	Feb. 08
Transcript : Dynatrace, Inc., Q3 2024 Earnings Call, Feb 08, 2024	Feb. 08
Dynatrace's Fiscal Q3 Non-GAAP Earnings, Revenue Rise; Q4 Guidance Issued, 2024 Guidance Lifted	Feb. 08	MT
Dynatrace, Inc. Reports Earnings Results for the Third Quarter and Nine Months Ended December 31, 2023	Feb. 08	CI
(DT) DYNATRACE Sees Q4 Revenue Range $372M - $377M	Feb. 08	MT
(DT) DYNATRACE Sees Q4 EPS Range $0.26 - $0.28	Feb. 08	MT
Earnings Flash (DT) DYNATRACE Posts Q3 Revenue $365.1M, vs. Street Est of $357.7M	Feb. 08	MT
Earnings Flash (DT) DYNATRACE Reports Q3 EPS $0.32, vs. Street Est of $0.28	Feb. 08	MT
Dynatrace, Inc. Updates Earnings Guidance for the Fiscal Year 2024	Feb. 08	CI

Chart Dynatrace, Inc.

Duration

Period

More charts

Company Profile

Dynatrace, Inc. offers a unified observability and security platform with analytics and automation for dynamic, hybrid, multi-cloud environments. The Company's Dynatrace Software Intelligence Platform provides application and micro service monitoring (APM), runtime application security, infrastructure monitoring, digital experience monitoring (DEM), business analytics, and cloud automation. Its product offerings include Applications and Microservices Monitoring, Infrastructure Monitoring, Application Security, Log Management and Analytics, Digital Experience Monitoring, Digital Business Analytics, and Cloud Automation. Its Dynatrace Infrastructure Monitoring provides complete visibility into a customer's infrastructure layer across public and private clouds and hybrid, multi-cloud environments. It also provides real-time detection and blocking to help protect against injection attacks that exploit critical vulnerabilities, such as Log4Shell.

Sector

IT Services & Consulting

Calendar

2024-05-14 - Q4 2024 Earnings Release (Projected)

More about the company

Income Statement Evolution

More financial data

Analysis / Opinion

INTERVIEW - Rick McConnell, CEO of Dynatrace: Earnings Beat, Upbeat Forecast

May 17, 2023 at 03:20 pm EDT

More Strategies

Ratings for Dynatrace, Inc.

Trading Rating

Investor Rating

ESG Refinitiv

C+

More Ratings

Analysts' Consensus

Sell

Buy

Mean consensus

BUY

Number of Analysts

Last Close Price

45.54 USD

Average target price

62.35 USD

Spread / Average Target

+36.91%

Consensus

EPS Revisions

Estimates Revisions

Quarterly earnings - Rate of surprise

Company calendar

Sector Cloud Computing Services

	1st Jan change	Capi.
DYNATRACE, INC.	-15.43%	13.48B
SALESFORCE.COM, INC.	+5.15%	266B
CLOUDFLARE, INC.	+5.54%	28.78B
NUTANIX, INC.	+28.08%	14.63B
QUALYS, INC.	-12.60%	6.23B
IONOS GROUP SE	+32.88%	3.48B
KINGDEE INTERNATIONAL SOFTWARE GROUP COMPANY LIMITED	-33.66%	3.42B
DIGITALOCEAN HOLDINGS, INC.	-10.85%	2.96B
ALKAMI TECHNOLOGY, INC.	+1.20%	2.34B
BEIJING SINNET TECHNOLOGY CO.,LTD	-10.80%	2.15B

Cloud Computing Services

Dynatrace, Inc.

Equities

DT

US2681501092

IT Services & Consulting

Dynatrace : What is Spring4Shell? Detect and mitigate new zero-day vulnerabilities in the Java Spring Framework

EPS Revisions