What are all of the possible uses of OpenSSL with Splunk? If you wanted to disable OpenSSL or remove it from Splunk, what would the impact be? If minimal, how can this be done? This is in response to OpenSSL vulnerabilities identified in a recent CVE....
(Updated to remove previous advice about disabling OpenSSL... based on what @gkanapathy said, it's probably not feasible, even if it is possible)
I think there is probably a better question to be asked here, because OpenSSL is not the only dependent library that could have a patch come out for it. I have asked a similar, but more generalized question at http://answers.splunk.com/questions/6653/how-do-splunk-releases-integrate-security-patches-for-depen...
@araitz answered my related question, and included with it an excellent example:
Take the most recent OpenSSL vulnerability announcement as documented at http://www.openssl.org/news/secadv_20100601.txt: neither of these issues apply to the version of OpenSSL that ships with Splunk, as we do not compile with the CMS code and are not on version 1.0.0.
So, in the end, the most recent OpenSSL CVEs don't have an impact on Splunk at all...
Well, to clarify, it is possible and feasible to not use SSL/OpenSSL in Splunk. All you have to do is set useSplunkdSSL to false (and not use it for other web ports). It is going to be used for some internal checks like validating trusted certs in distributed search and encrypting/decrypting hashes, but this doesn't expose OpenSSL to the outside.
I'm not sure it's appropriate to expect "official company statements" from the answers site - many of us who attempt to answer these questions don't work for Splunk (I don't). If you need an official answer, then you should open a support case. Your question, overall, is a good one but too focused. If you take your question and replace "OpenSSL" with "Python" - Splunk cannot function without Python, but the same question/need/principle applies. That is why I reworded your question into something more generalized that the Splunk support folks can comprehensively answer.
I totally agree; something is better than nothing....is that the Splunk company answer, then? Should we just wait for the next Splunk version, in hopes that it will include an updated, patched OpenSSL version? no other alternatives, without breaking Splunk functionality?
Well, the communication into Splunkd by default is SSL. It's not clear to me that having plaintext communications is better than a "vulnerable" SSL, since most "vulnerabilities" simply mean that someone could do something to eavesdrop on or compromise communications, not take over your server; this problem would only be worse with plaintext.