Security

Disable OpenSSL

gsawyer1
Engager

What are all of the possible uses of OpenSSL with Splunk? If you wanted to disable OpenSSL or remove it from Splunk, what would the impact be? If minimal, how can this be done? This is in response to OpenSSL vulnerabilities identified in a recent CVE....

Tags (1)
0 Karma

dwaddle
SplunkTrust
SplunkTrust

(Updated to remove previous advice about disabling OpenSSL... based on what @gkanapathy said, it's probably not feasible, even if it is possible)

I think there is probably a better question to be asked here, because OpenSSL is not the only dependent library that could have a patch come out for it. I have asked a similar, but more generalized question at http://answers.splunk.com/questions/6653/how-do-splunk-releases-integrate-security-patches-for-depen...

Update:

@araitz answered my related question, and included with it an excellent example:

Take the most recent OpenSSL vulnerability announcement as documented at http://www.openssl.org/news/secadv_20100601.txt: neither of these issues apply to the version of OpenSSL that ships with Splunk, as we do not compile with the CMS code and are not on version 1.0.0.

So, in the end, the most recent OpenSSL CVEs don't have an impact on Splunk at all...

gkanapathy
Splunk Employee
Splunk Employee

Well, to clarify, it is possible and feasible to not use SSL/OpenSSL in Splunk. All you have to do is set useSplunkdSSL to false (and not use it for other web ports). It is going to be used for some internal checks like validating trusted certs in distributed search and encrypting/decrypting hashes, but this doesn't expose OpenSSL to the outside.

0 Karma

dwaddle
SplunkTrust
SplunkTrust

I'm not sure it's appropriate to expect "official company statements" from the answers site - many of us who attempt to answer these questions don't work for Splunk (I don't). If you need an official answer, then you should open a support case. Your question, overall, is a good one but too focused. If you take your question and replace "OpenSSL" with "Python" - Splunk cannot function without Python, but the same question/need/principle applies. That is why I reworded your question into something more generalized that the Splunk support folks can comprehensively answer.

0 Karma

gsawyer1
Engager

I totally agree; something is better than nothing....is that the Splunk company answer, then? Should we just wait for the next Splunk version, in hopes that it will include an updated, patched OpenSSL version? no other alternatives, without breaking Splunk functionality?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Well, the communication into Splunkd by default is SSL. It's not clear to me that having plaintext communications is better than a "vulnerable" SSL, since most "vulnerabilities" simply mean that someone could do something to eavesdrop on or compromise communications, not take over your server; this problem would only be worse with plaintext.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...