Security

Heartbleed/openssl and Splunk

grijhwani
Motivator

Seeing as Splunk is deployed with its own bundled openssl binary and libs, and seeing as compromise of the issue (CVE-2014-0160) is undetectable, what action can we take to protect against it and replace the bundled OpenSSL, SSL certificate and keys to ensure that everything remains secure?

I'm asking specifically in the view of managing a v5 deployment which we do not want to take up to v6 at present. (And yes this is an Enterprise deployment, but I am asking for the benefit of the wider audience, too.)

Tags (2)
1 Solution

grijhwani
Motivator

Having just dug a little further, it appears that v5.0.5 uses OpenSSL 0.9.8, which is not vulnerable. Question is, what about 5.0.8 which I was looking to deploy very soon.

Ok, I've dug deeper still, (using rpm2cpio to pry into the rpms)

rpm2cpio ${splunk_rpm} | rpm2cpio | cpio -itv | grep -i ssl

yields the following results (amongst others):

lr-xr-xr-x   1 root     root           15 Mar 21 00:48 ./opt/splunk/lib/libssl.so -> libssl.so.0.9.8
-r-xr-xr-x   1 root     root       332528 Mar 21 00:48 ./opt/splunk/lib/libssl.so.0.9.8
...
-r--r--r--   1 root     root         6279 Mar 21 00:48 ./opt/splunk/share/splunk/3rdparty/Copyright-for-openssl-0.9.8y.txt

The conclusion is that version 5 is not vulnerable in any of its guises to date. Only version 6 users are at risk.

It should be noted that this problem does exist for all version 6 releases to date, as they are ALL linked to the same vulnerable version of OpenSSL (1.0.1e).

A blog entry has just been published confirming this and progress so far in addressing the problem.

A further blog entry has now been published announcing a fix release available for download.

View solution in original post

ckurtz
Path Finder

Splunk 6.0.3 has been released, which that patches Heartbleed and a separate TLS vulnerability

alapour
New Member

The Splunk Universal Forwarders 6+ are also vulnerable.

0 Karma

thnninen
Engager

Just a quick note that when you have updated your system openssl you can actually force splunk to use those libraries by symlinking. This will make your splunk instance secure while waiting for the update.

At least worked for me.

grijhwani
Motivator

A good intermediate solution for those on v6.

0 Karma

piebob
Splunk Employee
Splunk Employee

Splunk version 6.0 and later are vulnerable. no other versions are vulnerable.

We have a fix checked in and are currently in the process of testing our patch. We will be posting bits as soon as possible, and there will be information available at our security portal, http://www.splunk.com/page/securityportal

Note: Unless you have a public-facing, externally-accessible Splunk instance, you likely have very little exposure due to this vulnerability. That said, we are working very hard to deliver the patch as soon as possible, and to ensure that the patch we publish is of high quality.

ontkanin
Path Finder

I'm running v6.2, which is vulnerable. Any timeline for getting updates for it?

My system level openssl is patched, but Splunk is being deployed with its own openssl, and that one just makes the whole system vulnerable.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

grijhwani
Motivator

Having just dug a little further, it appears that v5.0.5 uses OpenSSL 0.9.8, which is not vulnerable. Question is, what about 5.0.8 which I was looking to deploy very soon.

Ok, I've dug deeper still, (using rpm2cpio to pry into the rpms)

rpm2cpio ${splunk_rpm} | rpm2cpio | cpio -itv | grep -i ssl

yields the following results (amongst others):

lr-xr-xr-x   1 root     root           15 Mar 21 00:48 ./opt/splunk/lib/libssl.so -> libssl.so.0.9.8
-r-xr-xr-x   1 root     root       332528 Mar 21 00:48 ./opt/splunk/lib/libssl.so.0.9.8
...
-r--r--r--   1 root     root         6279 Mar 21 00:48 ./opt/splunk/share/splunk/3rdparty/Copyright-for-openssl-0.9.8y.txt

The conclusion is that version 5 is not vulnerable in any of its guises to date. Only version 6 users are at risk.

It should be noted that this problem does exist for all version 6 releases to date, as they are ALL linked to the same vulnerable version of OpenSSL (1.0.1e).

A blog entry has just been published confirming this and progress so far in addressing the problem.

A further blog entry has now been published announcing a fix release available for download.

grijhwani
Motivator

As is already noted in the answer above (note the mention of the blog post 19 hours ago).

0 Karma

yannK
Splunk Employee
Splunk Employee
0 Karma

piebob
Splunk Employee
Splunk Employee

this is correct. see my answer for more info.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...