Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How can I remediate this OpenSSL vulnerability?

LovingSplunk
Path Finder
‎04-02-2026 09:25 AM

We have this vulnerability on several forwarders -
OpenSSL 1.0.2 < 1.0.2zn Multiple Vulnerabilities
(https://www.tenable.com/plugins/nessus/296767)

Path: /opt/splunkforwarder/bin/openssl
Reported version : 1.0.2zm
Fixed version : 1.0.2zn

Path: /opt/splunkforwarder/lib/libcrypto.so.1.0.0
Reported version : 1.0.2zm
Fixed version : 1.0.2zn

Path: /opt/splunkforwarder/lib/libssl.so.1.0.0
Reported version : 1.0.2zm
Fixed version : 1.0.2zn

Interestingly, we also get this vulnerability on our Splunk SOAR -

Path: /opt/phantom/splunkforwarder/opt/openssl1/lib/libcrypto.so.1.0.0
Reported version: 1.0.2zl
Fixed version: 1.0.2zn

Path: /opt/phantom/splunkforwarder/opt/openssl1/lib/libssl.so.1.0.0
Reported version: 1.0.2zl
Fixed version: 1.0.2zn

What would be the recommended remediation for this?

Labels (2)
Labels
Tags (2)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-07-2026 01:16 AM

As I always say - you don't _have_ the vulnerabilities, you have reports of vulnerabilities.

Has anoyne in your organization bothered to check the vulnerabilities descriptions? And verify if there is any (significant) risk from them? Remember that risk is affected by potential loss as well as exposure and severity. Just because something lights up on Nessus, doesn't mean that it constitutes a noteworthy risk. I'm in no way trying to downplay any specific single vulnerability because I didn't dig throught them to check what they are about but it's about the whole process itself. If your "vulnerability management" consists only of "ok, something in our Nessus report is not green - time to scowl the admin team to make it green again", it's fundamentally broken.

Having said that - for all we know, Splunk has a custom agreement with openssl maintenance team and products ship with custom versions of the library. They might or might not have backports of fixes and/or functionality differences vs. stock versions. This also means that deducing the existence of vulnerabilities just by comparing version numbers is very unreliable in this case.

And finally - you can't manually do anything with libraries shipped with Splunk products - they are part of the whole package and vulnerabilities (if applicable to the product) will usually be addressed as soon as possible and fixed versions should ship with next Splunk/SOAR/UF release.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...