Does splunk have a patch for
CVE-2021-4428
Qualys has identified Apache Log4j Remote Code Execution (RCE) Vulnerability (Log4Shell) on the Splunk servers. Please update impacted Splunk infrastructure with any updates they provide.
Hi @dhotlosz
You could track the status here and find relevant info for your products in use.
---
An upvote would be appreciated if this reply helps!
Please remember that though updating and patching your servers is a good practice on its own, this CVE depends on user-supplied input to be exploited. Therefore log4j included in splunk_archiver seems relatively unlikely to be abused this way. Which means that it's generally good to be on the safe side and have this vulnerability patched but this particular occurrence isn't that critical.
Hi @dhotlosz
You could track the status here and find relevant info for your products in use.
---
An upvote would be appreciated if this reply helps!
I removed the files but some keep coming back.
I see the advisory was updated with this
...
If any jar files return in the splunk_archiver app, disabling the default Bucket Copy Trigger search in that app will stop this behavior from happening.
....
How do I disable the bucket copy trigger search in the app?
Thanks
Dave
Hi @dhotlosz
Go to if linux - /opt/splunk/etc/apps/splunk_archiver/default
open savedsearches.conf, find [Bucket Copy Trigger] add disabled = 1.
---
An upvote would be appreciated if this reply helps!
May be create a local dir and add disabled = 1 instead of default.
If you are using deployer , deployment server and master push from there by setting disabled = 1 in local dir.