Security

Disable OpenSSL

gsawyer1
Engager

What are all of the possible uses of OpenSSL with Splunk? If you wanted to disable OpenSSL or remove it from Splunk, what would the impact be? If minimal, how can this be done? This is in response to OpenSSL vulnerabilities identified in a recent CVE....

Tags (1)
0 Karma

dwaddle
SplunkTrust
SplunkTrust

(Updated to remove previous advice about disabling OpenSSL... based on what @gkanapathy said, it's probably not feasible, even if it is possible)

I think there is probably a better question to be asked here, because OpenSSL is not the only dependent library that could have a patch come out for it. I have asked a similar, but more generalized question at http://answers.splunk.com/questions/6653/how-do-splunk-releases-integrate-security-patches-for-depen...

Update:

@araitz answered my related question, and included with it an excellent example:

Take the most recent OpenSSL vulnerability announcement as documented at http://www.openssl.org/news/secadv_20100601.txt: neither of these issues apply to the version of OpenSSL that ships with Splunk, as we do not compile with the CMS code and are not on version 1.0.0.

So, in the end, the most recent OpenSSL CVEs don't have an impact on Splunk at all...

gkanapathy
Splunk Employee
Splunk Employee

Well, to clarify, it is possible and feasible to not use SSL/OpenSSL in Splunk. All you have to do is set useSplunkdSSL to false (and not use it for other web ports). It is going to be used for some internal checks like validating trusted certs in distributed search and encrypting/decrypting hashes, but this doesn't expose OpenSSL to the outside.

0 Karma

dwaddle
SplunkTrust
SplunkTrust

I'm not sure it's appropriate to expect "official company statements" from the answers site - many of us who attempt to answer these questions don't work for Splunk (I don't). If you need an official answer, then you should open a support case. Your question, overall, is a good one but too focused. If you take your question and replace "OpenSSL" with "Python" - Splunk cannot function without Python, but the same question/need/principle applies. That is why I reworded your question into something more generalized that the Splunk support folks can comprehensively answer.

0 Karma

gsawyer1
Engager

I totally agree; something is better than nothing....is that the Splunk company answer, then? Should we just wait for the next Splunk version, in hopes that it will include an updated, patched OpenSSL version? no other alternatives, without breaking Splunk functionality?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Well, the communication into Splunkd by default is SSL. It's not clear to me that having plaintext communications is better than a "vulnerable" SSL, since most "vulnerabilities" simply mean that someone could do something to eavesdrop on or compromise communications, not take over your server; this problem would only be worse with plaintext.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...