Solved: OpenSSL security bug

mpavlas · ‎04-09-2014

Splunk 6.0.2 is linked against OpenSSL 1.0.1e which has serious security flaw (CVE-2014-0160).
When will be Splunk with fixed OpenSSL (1.0.1g) available?

MuS · ‎04-09-2014

Hi mpavlas,

Splunk is currently testing the fix, official statement on IRC #splunk channel:

Welcome to #splunk! | Currently testing a fix for the Heartbleed OpenSSL issue

as soon as it is available you will hear about on IRC #splunk and their webpage....stay tuned

cheers, MuS

View solution in original post

martin_mueller · ‎04-09-2014

Only 6.0.0-6.0.2 are affected: http://answers.splunk.com/answers/131019/heartbleedopenssl-and-splunk/131069

troywollenslege · ‎04-09-2014

I am hoping that Splunk will send out a global communication (email) about this issue and include a set of versions that are affected and a timeline when they will be patched/updated.

dwaddle · ‎04-09-2014

Keep an eye on the splunk security portal at http://www.splunk.com/page/securityportal -- which has an RSS feed you can subscribe to as well.

millern4 · ‎04-09-2014

that was it, thank you.....indeed we are affected

[xxxxxxxxxxxx /]$ cd /splunk/bin/
[xxxxxxxxxx bin]$ pwd
/splunk/bin
[xxxxxxxxxx bin]$ ./splunk cmd openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

MuS · ‎04-09-2014

if this is a default *uix setup try:

/opt/splunk/bin/splunk cmd openssl version

millern4 · ‎04-09-2014

is there another command to run I've tried below with different variation but it never returns any ouput?

$SPLUNK_HOME/bin/splunk cmd openssl version

/]$ $SPLUNK_HOME/bin/splunk cmd openssl version
-bash: /bin/splunk: No such file or directory

Is there another way to run this command?

MuS · ‎04-09-2014

did you run this like $SPLUNK_HOME/bin/splunk cmd openssl version? Otherwise you will probably get a response from your servers openSSL installation not the one from Splunk .....

millern4 · ‎04-09-2014

According to heartbleed.com:

What versions of the OpenSSL are affected?

Status of different versions:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

Our production search head is running Splunk 6.0. When I look at the command line:

bin]$ openssl version
OpenSSL 1.0.0-fips 29 Mar 2010

Does this mean we are not affected by this?

MuS · ‎04-09-2014

Hi mpavlas,

Splunk is currently testing the fix, official statement on IRC #splunk channel:

Welcome to #splunk! | Currently testing a fix for the Heartbleed OpenSSL issue

as soon as it is available you will hear about on IRC #splunk and their webpage....stay tuned

cheers, MuS

aelliott · ‎04-11-2014

Looks like there is an update available: http://www.splunk.com/view/SP-CAAAMB3

yannK · ‎04-10-2014

last updates : http://blogs.splunk.com/2014/04/09/splunk-and-the-heartbleed-ssl-vulnerability/

grijhwani · ‎04-09-2014

A Splunk blog entry has just been published confirming progress so far in addressing the problem.

troywollenslege · ‎04-09-2014

Hopefully to more than just IRC 🙂

Thanks for working on this quickly.

piebob · ‎04-09-2014

this is correct. we are working currently to test our fix, and will post it as soon as it meets our quality requirements.

OpenSSL security bug

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?