topic Re: Why is OPENSSL vulnerability still showing in latest release? in Security

Why is OPENSSL vulnerability still showing in latest release?

tsondo — Wed, 09 Aug 2023 16:30:00 GMT

Greetings,

We started seeing OPSNSSL vulnerabilities on all of our Splunk forwarders and the main engine this week. The advisory tells us we must use OPENSSL 3.0.8 or newer. Since OPENSSL is now on 3.1.2, I really thought the latest Splunk updates would fix the problem. I have just updated all forwarders to 9.1.0.1 and the main engine to 9.1.0.2, and it is now showing OPENSSL at 3.0.7. When will Splunk issue an update to address this and get OPENSSL to at least 3.0.8?

Re: Why is OPENSSL vulnerability still showing in latest release?

ClausBom — Tue, 22 Aug 2023 09:23:16 GMT

I'm getting punked for this from our Vuln.mgt team too. They refer to a " CVE-2023-3446 - OpenSSL 1.0.2 < 1.0.2zi Vulnerability".
Apparently, there's a file '/opt/splunk/lib/libcrypto.so.1.0.0' that existed for years, that all of a sudden is a problem to Nessus - but I can't find anything about it from Splunk?

I just tried to do an upgrade all the way from 6.5.2 to 9.1.0.2, but nothing changes - except the timestamp on the file.

Re: Why is OPENSSL vulnerability still showing in latest release?

tsondo — Tue, 22 Aug 2023 10:44:07 GMT

If no one from Splunk chimes in with an expected patch date I will put in an official ticket. I would hope that a vulnerability listed as severe would have their full attention by now.

Re: Why is OPENSSL vulnerability still showing in latest release?

josh_beverly — Thu, 24 Aug 2023 15:07:18 GMT

did anybody ever get an answer on this? i can also put a ticket in but im being hounded by security team to get this looked at. nessus is also the tool they're using to complain to us about it.

Re: Why is OPENSSL vulnerability still showing in latest release?

tsondo — Fri, 25 Aug 2023 05:29:27 GMT

No one has contacted me. I put in a support ticket today. I requested either an expected date for a newer version of OpenSSL to be added, or instructions on how to do it manually without compromising functionality or future upgrades. When I get an answer from them, I will post it.

Re: Why is OPENSSL vulnerability still showing in latest release?

ClausBom — Fri, 25 Aug 2023 06:24:40 GMT

I've raised a support ticket on this as well. I'll keep you updated on the outcome - if any 🤔

Re: Why is OPENSSL vulnerability still showing in latest release?

PickleRick — Fri, 25 Aug 2023 07:53:23 GMT

Tell your security team to obsess over something more relevant.

See the original OpenSSL advisory - https://www.openssl.org/news/secadv/20230719.txt

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available.

Your security team apparently didn't bother to verify what kind of vulnerability it was or if it was relevant in your situation in the first place. It's just the mechanical "we got a finding from our Nessus, we want to make you to get rid of it with no effort on our side, not even confirm that it's a real finding".

Re: Why is OPENSSL vulnerability still showing in latest release?

ClausBom — Fri, 25 Aug 2023 08:02:16 GMT

Well... if it wasn't for this line, in that advisory:

OpenSSL 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

I guess I could tell them to focus on real problems... But Nessus complaints about $HOME/lib/libcrypto.so.1.0.0 in both Enterprise and Universal Forwarder - so they might have a right to obsess?
Splunk might not use this old stuff - but why isn't it removed then?

Re: Why is OPENSSL vulnerability still showing in latest release?

tsondo — Fri, 25 Aug 2023 08:15:39 GMT

In my case it is a DoD system and the openssl hits reference three nist concerns:

CVE-2023-2975

CVE-2023-3446

CVE-2023-3817

I linked the nist articles, but apparently that isn't allowed. You can search them out if you want to.

These are all considered medium vulnerabilities, except that under DoD the last one, authentication gets bumped up a notch because it is authentication related.

OpenSSL has already addressed them. The question is when will Splunk integrate them into their own install packages. Going back to DoD and saying that it really isn't a big deal and I'm not going to fix it won't fly.

The options are: get a vendor patch, get instructions from the vendor on how to patch it without an update, or update it without vendor support and hope you don't break anything.

Re: Why is OPENSSL vulnerability still showing in latest release?

PickleRick — Fri, 25 Aug 2023 10:55:57 GMT

Just because the _file_ is named libssl.so.1.0.0 it doesn't mean that the actual library version is that ancient. It's a naming convention for the linker so if a library with version 1.0.0. is requested, the file is used.

(12:49:37) (splunk@mon1:~)
$ grep -Poa '1\.0\.2\S+' /opt/splunk/lib/libssl.so.1.0.0 
1.0.2zg-fips
1.0.2zg-fips
1.0.2zg-fips
1.0.2zg-fips
(12:50:09) (splunk@mon1:~)
$ /opt/splunk/bin/splunk cmd openssl version
OpenSSL 1.0.2zg-fips 7 Feb 2023
(12:50:15) (splunk@mon1:~)
$ cat /opt/splunk/etc/splunk.version 
VERSION=9.1.0.2
BUILD=b6436b649711
PRODUCT=splunk
PLATFORM=Linux-x86_64

Which corresponds to https://advisory.splunk.com/advisories/SVD-2023-0613

(same goes for UFs - see https://advisory.splunk.com/advisories/SVD-2023-0614 )

EDIT: Nessus is notorious for flagging hosts as vulnerable only by checking the reported file/package version which is annoying in case of distros which backport fixes into earlier versions (debian stable?). And security teams are notorious for not checking the actual findings 😉

Re: Why is OPENSSL vulnerability still showing in latest release?

ClausBom — Wed, 30 Aug 2023 07:12:00 GMT

So, answer from Splunk Support:

You should not remove file libcrypto.so.1.0.0, it is part of libraries. This file exists in fresh new 9.1.0.2 Splunk installation too, so it is not part of old upgrade.

Splunk version 9.1.0.2 uses OpenSSL 1.0.2zg.

Topic about CVE-2023-3446 vulnerability was send to developer team.

In the meantime, Tennable apparently found out, that they'd been a bit premature... OpenSSL disappeared from their scannings... 🙄😤

Re: Why is OPENSSL vulnerability still showing in latest release?

mp1 — Wed, 06 Mar 2024 11:21:26 GMT

yes, still we observed vulnerability openssl libraries files having 1.0.2zi FIPS with latest SplunkForwarder 9.2.0.1 as below.

# cat /opt/splunkforwarder/etc/splunk.version
VERSION=9.2.0.1
BUILD=d8ae995bf219
PRODUCT=splunk
PLATFORM=Linux-x86_64

Library files

r-xr-xr-x. 1 splunk splunk 475784 Feb 7 00:48 libssl.so.1.0.0

r-xr-xr-x. 1 splunk splunk 2996816 Feb 7 00:48 libcrypto.so.1.0.0

How to mitigate this vulnerability ?

Re: Why is OPENSSL vulnerability still showing in latest release?

PickleRick — Wed, 06 Mar 2024 12:09:21 GMT

Have you read anything that has been written in this thread? Have you checked what openssl version is used here? (I'm talking about the actual library version, not the filename).

How have you "observed vulnerability"? Again - Nessus "detected" it by checking filename?

I'm all for vulnerability scanning but it should be performed properly, not just "run scanner with default settings and assume every finding is a true positive".

Re: Why is OPENSSL vulnerability still showing in latest release?

TarnishedMalwar — Tue, 12 Mar 2024 16:53:21 GMT

I have the UFW 9.2.0.1 and still got the OpenSSL 1.0.2zi-fips, it's def not the same version you are pointing here. And to be sure I checked runing the splunk cmd openssl version.

Re: Why is OPENSSL vulnerability still showing in latest release?

fatsug — Tue, 28 May 2024 11:15:56 GMT

Yeah, the scanner is now primarily complaining about OpenSSL 1.0.2 being EOL (OpenSSL SEoL (1.0.2.x)), which also then means there are associated CVEs.

$ /opt/splunk/bin/splunk cmd openssl version
OpenSSL 1.0.2zi-fips 1 Aug 2023

So this is clearly an outdated version of OpenSSL being shipped with Splunk Enterprise 9.2.0.1

So the question is still valid, why ship splunk with an EOL version of OpenSSL?

Re: Why is OPENSSL vulnerability still showing in latest release?

tsondo — Tue, 28 May 2024 12:25:57 GMT

I found an answer for this. If you check out openssl.org, the version is not actually EOL for PREMIUM customers, which Splunk is. An annotation in the findings checklist should suffice.

Hope that helps.

Re: Why is OPENSSL vulnerability still showing in latest release?

fatsug — Wed, 29 May 2024 07:34:46 GMT

Sure, that allows me to snooze the alert. How can I validate this information, is this documented somewhere?

Re: Why is OPENSSL vulnerability still showing in latest release?

tsondo — Wed, 29 May 2024 08:21:20 GMT

As I said, go to openssl.org. The information is there.

Re: Why is OPENSSL vulnerability still showing in latest release?

fatsug — Wed, 29 May 2024 08:31:53 GMT

Yes and no. I guess my question could have been a bit more concrete and clear.

It does list the details regarding premium services ([ Contracts ] - /support/contracts.html (openssl.org)) inkluding LTS for 1.0.2.

But it does not list any premium customers. I'm struggling to validate that the LTS versions is what is shipped with Splunk. I have not found information documenting this as a fact by Splunk representatives yet.

If you can point me to the documentation regaring Splunk being a premium customer I'd appreciate it very much. Then I have something to lean on while ignoring the alerts 🙂

Re: Why is OPENSSL vulnerability still showing in latest release?

tsondo — Wed, 29 May 2024 09:02:09 GMT

Ok, that's what was missing! So I deduced it from the following information:

From OpenSSL.Org:

****

OpenSSL 1.0.2 is out of support since 1st January 2020 and is no longer receiving updates. Extended support is available from OpenSSL Software Services for premium support customers.

CVE-2024-0727 - Fixed in OpenSSL 1.0.2zj (premium support) (Affected since 1.0.2)

****

Since only premium customers get 1.0.2.zj, and Splunk has it, they are therefore a Premium customer.