topic Re: When will Splunk address the OpenSSL vulnerability issue (CVE-2016-2107; OpenSSL <1.0.2h)? in Splunk Enterprise

When will Splunk address the OpenSSL vulnerability issue (CVE-2016-2107; OpenSSL <1.0.2h)?

dwhill — Mon, 20 Jun 2016 14:46:33 GMT

Splunk 6.4.1 is linked against OpenSSL 1.0.2g which has a security flaw (CVE-2016-2107). When will Splunk with fixed OpenSSL (1.0.2h) be available?

tchimento_splun — Mon, 20 Jun 2016 23:18:54 GMT

Our next maintenance release will include the 1.0.2h version.

dwhill — Tue, 21 Jun 2016 14:04:45 GMT

When is the next maintenance release scheduled for?

tchimento_splun — Wed, 22 Jun 2016 16:05:44 GMT

We are targeting the release for the second or third week of July. All such release dates may change if unanticipated issues arise.

jfeitosa — Fri, 08 Jul 2016 18:12:21 GMT

I have the same problem, and other vulnerabilities found in communication between the Universal Forwarder and Splunk Manager.

Does anyone know how to mitigate these vulnerabilities? Force use TLS? How do correctly?

Tks

dewald13 — Tue, 12 Jul 2016 17:59:13 GMT

6.4.2 is now released and looks to still have 1.0.2g.............still not fixed

tchimento_splun — Tue, 12 Jul 2016 23:16:22 GMT

Exactly what did you download and from where? We just confirmed that 6.4.2 is using OpenSSL 1.0.2h for both Linux and for Windows.

dewald13 — Wed, 13 Jul 2016 12:42:23 GMT

I was looking here http://docs.splunk.com/Documentation/Splunk/6.4.2/ReleaseNotes/OpenSSL which states 6.4.2 still has v1.0.2g. But I did install last night and you are correct, it is running 1.0.2h

thanks for the quick response