Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

CVE-2024-5535 - Openssl 1.0.2zk Vunerability

gschleusener
Engager
‎07-22-2024 09:09 PM

Hi,

I can see Splunk is vulnerable to openssl 1.0.2zk, I've applied the latest 9.2.2 on Splunk Enterprise and the Universal Forwarder, still running the older 1.0.2zj version.

Any ideas when this will be remediated?

OpenSSL Bulletin on 26 June
[ Vulnerabilities ] - /news/vulnerabilities-1.0.2.html (openssl.org)

From Splunk Advisory, latest openssl related update was in March for zj version.gschleusener_0-1721707496114.png

 

Labels (1)
Labels
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-30-2024 03:23 AM

OK. Let me quote from the OpenSSL vulnerability description.

"Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application."

Read the last sentence. Over and over again. If unsure - verify if you can exploit this potential vulnerability. Otherwise, stop worrying about this.

Reply

vsrigane
Explorer
‎07-30-2024 02:21 AM

We are also flagged by this Patch Vulnerability by our Tenable Scanning Results on Compliance Portal.

 

We were under an assumption that the Splunk Universal Forwarder release of Version 9.2.2 will have this fix incorporated, but apparently seems like that is not the case.

 

Any idea when could we expect a fix for this as the due date for this exposure has already passed (July 28th 2024)?

 

Thanks,

Vishwa

Reply

reddsbaron
Observer
‎10-02-2024 08:30 AM

so if I am running 9.3.1 and Tenable is still flagging this what was the solution or is there a fix for this not to show up in the scan?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-02-2024 12:50 PM

Yes. Define exception in Nessus.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...