Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How can I remediate this OpenSSL vulnerability?

LovingSplunk
Path Finder
‎04-02-2026 09:25 AM

We have this vulnerability on several forwarders -
OpenSSL 1.0.2 < 1.0.2zn Multiple Vulnerabilities
(https://www.tenable.com/plugins/nessus/296767)

Path: /opt/splunkforwarder/bin/openssl
Reported version : 1.0.2zm
Fixed version : 1.0.2zn

Path: /opt/splunkforwarder/lib/libcrypto.so.1.0.0
Reported version : 1.0.2zm
Fixed version : 1.0.2zn

Path: /opt/splunkforwarder/lib/libssl.so.1.0.0
Reported version : 1.0.2zm
Fixed version : 1.0.2zn

Interestingly, we also get this vulnerability on our Splunk SOAR -

Path: /opt/phantom/splunkforwarder/opt/openssl1/lib/libcrypto.so.1.0.0
Reported version: 1.0.2zl
Fixed version: 1.0.2zn

Path: /opt/phantom/splunkforwarder/opt/openssl1/lib/libssl.so.1.0.0
Reported version: 1.0.2zl
Fixed version: 1.0.2zn

What would be the recommended remediation for this?

Labels (2)
Labels
Tags (2)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-07-2026 01:16 AM

As I always say - you don't _have_ the vulnerabilities, you have reports of vulnerabilities.

Has anoyne in your organization bothered to check the vulnerabilities descriptions? And verify if there is any (significant) risk from them? Remember that risk is affected by potential loss as well as exposure and severity. Just because something lights up on Nessus, doesn't mean that it constitutes a noteworthy risk. I'm in no way trying to downplay any specific single vulnerability because I didn't dig throught them to check what they are about but it's about the whole process itself. If your "vulnerability management" consists only of "ok, something in our Nessus report is not green - time to scowl the admin team to make it green again", it's fundamentally broken.

Having said that - for all we know, Splunk has a custom agreement with openssl maintenance team and products ship with custom versions of the library. They might or might not have backports of fixes and/or functionality differences vs. stock versions. This also means that deducing the existence of vulnerabilities just by comparing version numbers is very unreliable in this case.

And finally - you can't manually do anything with libraries shipped with Splunk products - they are part of the whole package and vulnerabilities (if applicable to the product) will usually be addressed as soon as possible and fixed versions should ship with next Splunk/SOAR/UF release.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...