I subscribe to a RSS feed for Splunk CVEs and diligently keep my security team in the loop regarding Splunk vulnerabilities. Since I've taken over the Splunk administrator role at my company, I've upgraded everything Splunk except some 6.4 UFs. The documentation states:
Before you upgrade, consider whether you really need to. In most cases, you do not have to upgrade a forwarder. Forwarders are always compatible with later versions of indexers, so you do not need to upgrade them just because you have upgraded the indexers that they send data to.
My questions is:
Should I upgrade my UFs? Have there been significant threats since 6.4 that do affect forwarders? If not, is there a blurb (honestly, I'll accept a Splunk Answers blurb) or link out there that I can send my security team to keep them happy?
Hey @nick405060 ,
There are different reason why you want to upgrade your forwarders
Version compatibility - If you are using same version for all the components, then it should be fine for you. However, check this link : https://docs.splunk.com/Documentation/Forwarder/latest/Forwarder/Compatibilitybetweenforwardersandin...
Security Updates if there are any - Splunk securityportal announcements
New feature update or bug fixes -
Let me know if this helps!!
To be honest I was kind of looking for a tl;dr regarding security threats and forwarders. I diligently read all CVEs, but obviously haven't read all that have been released since 6.4.
There is a tradeoff between Operational effort and Security. Upgrading UF is quite a difficult process Operationally in many organisations due to difficulties like standardisation, OS compatibilities etc. But if this is all easy in your organisation, it is much better to put a path of UF upgrades every 6 months.
The second aspect, I feel is reducing the footprint of the UF.
1. For example, many organisations install UF with lot of privileges like "admin" in Windows or extra privileges in Linux systems. If you configure correct level of permisssions just to read only and relevant files, the security footprint is reduced a lot
2. Loopback the management port. This is quite important to ensure that the management port (eg 8089) of your UF is NOT exposed outside the client OS. This way any threats to access and modify the UF is stopped externally. Since the connection is initiated by UF towards Splunk servers, there is no need to expose any ports for UF
3. Ensure your Splunk main servers are same or higher level than UF. So if you follow a time based model upgrading for UF, ensure the master servers are upgraded as a pre-req
4. Try as much as possible to have a single version of UF across whole of estate. (eg 7.2.4 across all windows/linux/solaris etc). This way standarisation becomes easy. This is a hard feat to achieve in many organisations due to old OS, cpu architecture etc.
Taking all into account, my suggestion is it is all upto your organisation to weigh between Operational difficulties vs Security
The official response from Splunk Support is to upgrade forwarders only when a new feature is in the new version and the client needs it.
While not CVE releated, there were changes to SSL based on some security concerns around SSL. See Compatibility between forwarders and Splunk Enterprise indexers for more details.
Additionally, if forwarders fall out of support you would want to do upgrades to stay in support. Like an insurance policy - upgrade so you can get support but hopefully you'll never need it. Stay tuned to the official SPLUNK SOFTWARE SUPPORT POLICY in case such information ever gets published.