https://community.splunk.com/t5/Splunk-Enterprise/threat-Sharing-Report-CVE-2021-44228-Apache-Log4j-RCE/m-p/578326#M10952 <P>The blog posting at&nbsp;<A href="https://www.splunk.com/en_us/blog/bulletins/splunk-security-advisory-for-apache-log4j-cve-2021-44228.html" target="_blank">https://www.splunk.com/en_us/blog/bulletins/splunk-security-advisory-for-apache-log4j-cve-2021-44228.html</A>&nbsp;should answer your question.</P> Tue, 14 Dec 2021 14:08:06 GMT richgalloway 2021-12-14T14:08:06Z https://community.splunk.com/t5/Splunk-Enterprise/threat-Sharing-Report-CVE-2021-44228-Apache-Log4j-RCE/m-p/578304#M10950 <P>Hi Team,</P><P>&nbsp;</P><P>I am checking for the update that if the Splunk application is also exposed to threat due to&nbsp;Vulnerability - &nbsp;Apache Log4j.&nbsp;</P><P>Please let us know the work around if there is any impact.</P><P>Thanks</P><P>User</P> Tue, 14 Dec 2021 11:37:57 GMT https://community.splunk.com/t5/Splunk-Enterprise/threat-Sharing-Report-CVE-2021-44228-Apache-Log4j-RCE/m-p/578304#M10950 sauravkumar702 2021-12-14T11:37:57Z https://community.splunk.com/t5/Splunk-Enterprise/threat-Sharing-Report-CVE-2021-44228-Apache-Log4j-RCE/m-p/578326#M10952 <P>The blog posting at&nbsp;<A href="https://www.splunk.com/en_us/blog/bulletins/splunk-security-advisory-for-apache-log4j-cve-2021-44228.html" target="_blank">https://www.splunk.com/en_us/blog/bulletins/splunk-security-advisory-for-apache-log4j-cve-2021-44228.html</A>&nbsp;should answer your question.</P> Tue, 14 Dec 2021 14:08:06 GMT https://community.splunk.com/t5/Splunk-Enterprise/threat-Sharing-Report-CVE-2021-44228-Apache-Log4j-RCE/m-p/578326#M10952 richgalloway 2021-12-14T14:08:06Z https://community.splunk.com/t5/Splunk-Enterprise/threat-Sharing-Report-CVE-2021-44228-Apache-Log4j-RCE/m-p/578329#M10953 <P><EM>I am checking for the update that if the Splunk application is also exposed to threat due to&nbsp;Vulnerability - &nbsp;Apache Log4j.</EM></P><P><SPAN>&nbsp;Yes, These Splunk Products are impacted:<BR />(in simple, Splunk Enterprise, with Data Federated Search(DFS) feature utilized, is impacted)</SPAN></P><TABLE border="1" width="100%" cellspacing="0" cellpadding="0"><TBODY><TR><TD><STRONG>Product</STRONG></TD><TD><STRONG>Cloud/On-Prem</STRONG></TD><TD><STRONG>Impacted Versions</STRONG></TD><TD><STRONG>Fixed Version</STRONG></TD><TD><STRONG>Workaround</STRONG></TD></TR><TR><TD>Add-On: Java Management Extensions</TD><TD>Both</TD><TD>5.2.0 and previous</TD><TD>Pending</TD><TD>TBD</TD></TR><TR><TD>Add-On: JBoss</TD><TD>Both</TD><TD>3.0.0, 2.1.0</TD><TD>Pending</TD><TD>TBD</TD></TR><TR><TD>Add-On: Tomcat</TD><TD>Both</TD><TD>3.0.0, 2.1.0</TD><TD>Pending</TD><TD>TBD</TD></TR><TR><TD>Data Stream Processor</TD><TD>On-Prem</TD><TD>DSP 1.0.x, DSP 1.1.x, DSP 1.2.x</TD><TD>Pending</TD><TD>TBD</TD></TR><TR><TD>IT Essentials Work</TD><TD>Both</TD><TD>4.11, 4.10.x (Cloud only), 4.9.x</TD><TD>4.11.1, 4.10.3, additional versions pending for release early this week</TD><TD>TBD</TD></TR><TR><TD>IT Service Intelligence (ITSI)</TD><TD>Both</TD><TD>4.11.0, 4.10.x (Cloud only), 4.9.x, 4.8.x (Cloud only), 4.7.x, 4.6.x, 4.5.x</TD><TD>4.11.1, 4.10.3, additional versions pending for release early this week</TD><TD>TBD</TD></TR><TR><TD>Splunk Connect for Kafka</TD><TD>On-Prem</TD><TD>2.0.3</TD><TD>2.0.4</TD><TD>Released the patched version on 12/11/21</TD></TR><TR><TD><U><STRONG>Splunk Enterprise</STRONG></U></TD><TD>On-Prem</TD><TD>All supported non-Windows versions of 8.1.x and 8.2.x<SPAN>&nbsp;</SPAN><STRONG>only if<SPAN>&nbsp;</SPAN></STRONG>DFS is used. See<SPAN>&nbsp;</SPAN><STRONG>Removing Log4j from Splunk Enterprise</STRONG><SPAN>&nbsp;</SPAN>below for guidance on unsupported versions.</TD><TD>8.1.7.1, 8.2.3.2</TD><TD>See<SPAN>&nbsp;</SPAN><STRONG>Removing Log4j from Splunk Enterprise</STRONG><SPAN>&nbsp;</SPAN>section below</TD></TR><TR><TD>Splunk Enterprise Amazon Machine Image (AMI)</TD><TD>On-Prem</TD><TD>See Splunk Enterprise</TD><TD>Pending</TD><TD>TBD</TD></TR><TR><TD>Splunk Enterprise Docker Container</TD><TD>On-Prem</TD><TD>See Splunk Enterprise</TD><TD>Pending</TD><TD>TBD</TD></TR><TR><TD>Splunk Logging Library for Java</TD><TD>On-Prem</TD><TD>1.11.0</TD><TD>1.11.1</TD><TD>TBD</TD></TR><TR><TD>Stream Processor Service</TD><TD>Cloud</TD><TD>Current</TD><TD>Pending</TD><TD>TBD</TD></TR></TBODY></TABLE><P>&nbsp;</P><P><EM>Please let us know the work around if there is any impact.</EM></P><P><STRONG>Removing Log4j from Splunk Enterprise</STRONG></P><P>If the Splunk Enterprise instance does not leverage DFS, the presence of those libraries does not introduce an active attack vector. Out of an abundance of caution, you may remove the unused jar files from your Splunk Enterprise instances in the following paths:</P><UL><LI>$SPLUNK_HOME/bin/jars/vendors/spark</LI><LI>$SPLUNK_HOME/bin/jars/vendors/libs/splunk-library-javalogging-*.jar</LI><LI>$SPLUNK_HOME/bin/jars/SplunkMR*</LI><LI>$SPLUNK_HOME/bin/jars/thirdparty/hive*</LI><LI>$SPLUNK_HOME/etc/apps/splunk_archiver/java-bin/jars/*</LI></UL><P>Upon removal of these jar files, an administrator may see errors at Splunk startup pertaining to file integrity, specific to these jar files. These are expected as you are removing these unused jar files as a workaround. These errors may be ignored.&nbsp;</P><P>*Since a Splunk Heavyweight Forwarder (HWF) is a full-instance copy of Splunk Enterprise with forwarding enabled, the above mitigation may also be applied to HWF instances.</P><P>&nbsp;</P><P>| makeresults&nbsp; - If this reply helped you, a karma point would be appreciated, thanks.&nbsp;</P> Tue, 14 Dec 2021 14:25:26 GMT https://community.splunk.com/t5/Splunk-Enterprise/threat-Sharing-Report-CVE-2021-44228-Apache-Log4j-RCE/m-p/578329#M10953 inventsekar 2021-12-14T14:25:26Z