Improved attack detection for Command injections and JNDI injections.
Entry point information for code-level vulnerabilities
Application Security | Vulnerabilities
Every detected code-level vulnerability now shows all application paths that let a user potentially exploit this vulnerability. This helps developers and security engineers with evaluating the vulnerability and verifying a potential fix.
The code-level vulnerability details page now shows the entry points (URLs/paths) and the user-supplied inputs (such as HTTP parameters) that can be abused.
Enabled event ingest on OneAgent localhost interface
Infrastructure Monitoring | Events
Event ingest (similar to log and metric ingest) is enabled on the OneAgent localhost interface.
The OneAgent JavaScript module's signature check is temporarily disabled by default. This was done to mitigate high network traffic between the cluster and OneAgent caused by JavaScript agents older than 2 years having an out-of-date signature, which resulted in an invalid signature check. In a follow-up issue, we will update the signature checking mechanism and enable the signature check as the default again. (OA-19400)
Injection of the OneAgent IIB code module is no longer reported as failed for platforms where it is not supported. (OA-17439)
OS module
Fixed high agent CPU usage on hosts with high network traffic. (HOST-3156)
Fixed an issue where disk exclusion rules were applied only to local disks. (HOST-3221)
Fixed issue where, from time to time on network shares, there were spikes of usage that showed throughput in PiB/s. (HOST-3218)
Fixed Node.js technology detection for the process running inside a container. (HOST-3139)
Fixed an issue where df did not spawn a process correctly even after it stopped being spawned, which could result in disk metrics not being updated. (HOST-3155)
Excluded administrative and local shares from statistics for network shares. (HOST-3219)
OneAgent OS module will now time out after 2s when stuck on WMI class access. (HOST-3122)
Disabled Windows network drive monitoring in response to API hanging in certain scenarios. (HOST-3206)
Java
Resolved an issue that, after OneAgent upgrade, caused a NullPointerException in jdk.internal.net.http.HttpClient when lowercase headers for X-dynaTrace were present. (OA-18008)
.NET
AspNet sensor: improved handling for retrieving context in ASP-hosted WCF apps. (OA-19004)
Improved robustness of OneAgent version detection for .NET Core. (OA-18430)
Improved stability of the .NET code-level vulnerability/attack evaluation OneAgent feature. (OA-18007)
Improved queue name detection for OneAgent code module for .NET MSMQ monitoring. (OA-17904)
Improved stability of the .NET code-level vulnerability/attack evaluation OneAgent feature. (OA-18405)
Improved OneAgent .NET code module stability following the Microsoft security update for .NET framework 3.5. (OA-18223)
PHP
Resolved an issue that caused a `500 internal server error` when signing in with PHP deep monitoring enabled. (OA-18507)
Node.js
Corrected an issue that sometimes caused OneAgent to fail to retrieve the MongoDB hostname from the configuration URL in calls to a MongoDB database, which resulted in those calls appearing as unexpected services in the Dynatrace web UI. (OA-16588)
Fixed a memory leak caused by the Node.js code module, which was introduced by a module-internal optimization (since reverted). (OA-19275)
OpenTracing module
Envoy: fixed `overwritten1.http.status_code` occurring in Grail. For Envoy spans, in addition to `http.status_code`, a stray attribute `overwritten1.http.status_code` was occurring. Now only one `http.status_code` (type integer) occurs. (OA-17243)
NGINX
NGINX instrumentation has been updated for currency with NGINX 1.25. (OA-17247)
Update 166 (Build 1.269.166)
This cumulative update contains 3 resolved issues and all previously released updates for the 1.269 release.
Fixed a bug where if a Request object was used in a fetch call, the agent did not set any correlation headers on it. (RUM-11308)
Fixed issues with "sendEvent" working with generated objects. Objects generated via a class or instantiated with "new" can now be sent using "sendEvent" and "sendBizEvent" APIs. (RUM-11430)
Fixed an issue where a call to `dtrum.getAndEvaluateMetaData()` would provide a stale "info" property about the captured value, causing ambiguous results. (RUM-11139)
Session Replay
Fixed a Session Replay issue that caused the initial value of a select HTML element not to be displayed correctly when replaying a session. (SR-2309)
Update 217 (Build 1.269.217)
This cumulative update contains 1 resolved issue and all previously released updates for the 1.269 release.
JavaScript
Fixed an issue where the regex provided for setting the x-dtc header was ignored when matching against the host name for same-origin XHR/fetch requests. (RUM-11838)