Third-party vulnerabilities: Prioritize CVEs with vulnerable function insights

Managing attack surfaces is a critical element of bolstering digital resilience. Dynatrace helps teams to gain insight into software packages susceptible to third-party vulnerabilities and related CVEs.

The Dynatrace third-party vulnerabilities feature provides insights into vulnerable software packages by matching detected package identifiers and version numbers with known vulnerable software packages and related common vulnerabilities and exposures (CVEs).

The risk of impact from an existing known vulnerability also depends on whether certain processes are using the vulnerable parts of a software component. To give users additional insights, Dynatrace provides vulnerable function usage information for certain vulnerable software packages. This information specifies which function in the source code relates to a vulnerability. The insights provided by this feature help teams to prioritize CVEs based on their reachability through monitoring the vulnerable functions.

Vulnerable function monitoring

Tracking vulnerable open source software components efficiently is one of the most important pillars of managing attack surfaces. The Dynatrace third-party vulnerabilities solution provides key capabilities for detailed and continuous insights into vulnerable software components present in an IT system.

In addition to providing information about which software components are vulnerable, the ability of Dynatrace to gather application insights also enables teams to track which software function relates to a specific vulnerability.

This ability gives security analysts and professionals the advantage of being able to evaluate the risk of a vulnerable software component in detail, depending on how vulnerable functions are used.

Let's assume the Java library shown in figure 1 is affected by vulnerability CVE-2024-XYZ. The vulnerable function in the software package is highlighted in red. Process group 1 doesn't use the function that contains the vulnerability. The risk of CVE-2024-XYZ is low in this scenario, since the process isn't accessing the vulnerable part of the package.

Figure 1: The process group isn't using the vulnerable function

In contrast to figure 1, figure 2 shows a scenario where the process group uses the vulnerable function of the Java package.

Figure 2: The process group is using the vulnerable function

In the scenario shown in figure 2, Process Group 2 uses the vulnerable part of the Java package by accessing the vulnerable function as highlighted. In this case, there could be an increased risk of exploitation, for example from a user-provided input sent through Process Group 2 to the vulnerable function.

The example in figure 3 demonstrates the function tracking functionality explained above on a real-world example using the architecture of the Spring Framework.

Figure 3: Spring Framework architecture (source: Spring Framework documentation)

The Spring Framework has many components that offer different functionalities. In our example, we monitor a simple web application that uses the URIPathHelper utility class to clean user input with the function removeSemicolonContent, which removes semicolons(;) from a given URI.

In the Spring Framework version we use for this example, the spring-web component contains vulnerability CVE-2020-5421, a high-severity CVE that exposes the application to a reflected file download (RFD) attack. This vulnerability affects the functions such as the removeSemicolonContent function we use in our application, as shown in figure 4.

Figure 4: CVE-2020-5421 vulnerability details with vulnerable function usage

To demonstrate the vulnerable function monitoring, we replace the removeSemicolonContent function with a custom one as shown below.

Now, figure 5 shows that no vulnerable function is now being used.

Figure 5: CVE-2020-5421 vulnerability details without vulnerable function usage

As we show in this example, vulnerable function monitoring provides users with additional insights and possibilities to prioritize CVEs. In this scenario, we only replace a vulnerable function with a custom one for demonstration purposes. In practice, however, we recommend upgrading third-party dependencies to fixed versions whenever possible.

Leveraging vulnerable function information to focus on the real risks

Software packages often provide a long list of different functionalities that can be used independently of each other. A vulnerability might only affect a very specific part of a software package and may never be called in a specific execution scenario.

Vulnerable functions provide this exact insight and show users of the Dynatrace third-party vulnerabilities feature which process groups are using the specific vulnerable function(s) of a CVE and which are not.

Prioritize CVEs

Figure 6 shows the vulnerable functions that are in use for CVE-2019-0232. , an RCE vulnerability. Although the CVE is high severity, none of the current process groups are using the vulnerable function of the org.apache.catalina package.

Figure 6: Vulnerable functions in use for CVE-2019-0232

Meanwhile, figure 7 shows the vulnerable functions view for CVE-2022-25857, a DoS vulnerability. In contrast to the CVE shown in figure 6, three process groups are currently using the vulnerable functions of the org.yaml.snakeyaml package.

Figure 7: Vulnerable functions view for CVE-2022-25857

Although both CVEs have a high-risk score of 7.5 as shown in the National Vulnerability Database (NVD), security teams should focus on fixing CVE-2022-25857 shown in Figure 7 since it poses a greater risk to the currently monitored environment.

Monitor for changes in vulnerable functions usage

While the vulnerable functions feature helps to prioritize remediating vulnerabilities, you can also use it to monitor changes in the behavior of process groups. A sudden spike in the usage of vulnerable functions that aren't typically used by the monitored process group in a software package could be an indicator of an ongoing exploit. In such a case, teams should check the specific process group.

Extending coverage of vulnerable functions

Currently, the Dynatrace third-party vulnerabilities feature covers 784 vulnerable functions from 254 different software packages. The top 10 software packages with the most vulnerable functions are shown in Table 1.

Table 1: Top 10 software packages with the most vulnerable functions in our vulnerability feeds

Package
1	org.springframework
2	org.bouncycastle
3	org.apache.tomcat
4	io.netty
5	org.eclipse.jetty
6	com.amazonaws
7	com.fasterxml.jackson
8	com.google.guava
9	org.hibernate
10	com.thoughtworks.xstream

The Dynatrace Threat Intelligence teams and the Snyk vulnerability feed are constantly extending the coverage of vulnerable functions in software components to provide the best insight for our customers. Figure 8 shows the growth of vulnerable functions coverage in 2024, and we are planning to further extend the number of CVEs where we provide vulnerable functions insights.

Figure 8: Continuous improvement in vulnerable functions coverage

On the Dynatrace webpage, you can learn more about our Runtime Vulnerability Analytics offering. See Dynatrace documentation for how to efficiently manage third-party vulnerabilities.

Public link

Please use the above public link if you want to share this noodl on another website.