Greetings,
We started seeing OPSNSSL vulnerabilities on all of our Splunk forwarders and the main engine this week. The advisory tells us we must use OPENSSL 3.0.8 or newer. Since OPENSSL is now on 3.1.2, I really thought the latest Splunk updates would fix the problem. I have just updated all forwarders to 9.1.0.1 and the main engine to 9.1.0.2, and it is now showing OPENSSL at 3.0.7. When will Splunk issue an update to address this and get OPENSSL to at least 3.0.8?
I am not particularly concerned about the vulnerability right now. But this old OpenSSL version is causing problems when I try to develop new apps. I know it might not be a Splunk problem. urllib3 v2 is a dependency of a package that I need to use. As I understand this version of OpenSSL is not supported by the library or newer version of Python.
The error message is:
urllib3 v2 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with 'OpenSSL 1.0.2zi-fips 1 Aug 2023'. See: https://github.com/urllib3/urllib3/issues/2168
I found an answer for this. If you check out openssl.org, the version is not actually EOL for PREMIUM customers, which Splunk is. An annotation in the findings checklist should suffice.
Hope that helps.
Sure, that allows me to snooze the alert. How can I validate this information, is this documented somewhere?
As I said, go to openssl.org. The information is there.
Yes and no. I guess my question could have been a bit more concrete and clear.
It does list the details regarding premium services ([ Contracts ] - /support/contracts.html (openssl.org)) inkluding LTS for 1.0.2.
But it does not list any premium customers. I'm struggling to validate that the LTS versions is what is shipped with Splunk. I have not found information documenting this as a fact by Splunk representatives yet.
If you can point me to the documentation regaring Splunk being a premium customer I'd appreciate it very much. Then I have something to lean on while ignoring the alerts 🙂
Ok, that's what was missing! So I deduced it from the following information:
From OpenSSL.Org:
****
OpenSSL 1.0.2 is out of support since 1st January 2020 and is no longer receiving updates. Extended support is available from OpenSSL Software Services for premium support customers.
CVE-2024-0727 - Fixed in OpenSSL 1.0.2zj (premium support) (Affected since 1.0.2)
****
Since only premium customers get 1.0.2.zj, and Splunk has it, they are therefore a Premium customer.
👍Which also explains why the "z" version was not available for download 🙂
Well, then all is well that ends well I suppose! Thank you for both help and clarification, much appreciated!
The problem here may be that splunk is not releasing the updated libraries for libssl and libcrypto up through the 9.3.1 release now that the vulnerabilities are being flagged to "zk"
So it is now flagged to include "z" versions of OpenSSL, meaning that all prior and current versions were and are indeed affected?
Could you provide a link to the supporting information?
I'm getting punked for this from our Vuln.mgt team too. They refer to a " CVE-2023-3446 - OpenSSL 1.0.2 < 1.0.2zi Vulnerability".
Apparently, there's a file '/opt/splunk/lib/libcrypto.so.1.0.0' that existed for years, that all of a sudden is a problem to Nessus - but I can't find anything about it from Splunk?
I just tried to do an upgrade all the way from 6.5.2 to 9.1.0.2, but nothing changes - except the timestamp on the file.
yes, still we observed vulnerability openssl libraries files having 1.0.2zi FIPS with latest SplunkForwarder 9.2.0.1 as below.
# cat /opt/splunkforwarder/etc/splunk.version
VERSION=9.2.0.1
BUILD=d8ae995bf219
PRODUCT=splunk
PLATFORM=Linux-x86_64
Library files
r-xr-xr-x. 1 splunk splunk 475784 Feb 7 00:48 libssl.so.1.0.0
r-xr-xr-x. 1 splunk splunk 2996816 Feb 7 00:48 libcrypto.so.1.0.0
How to mitigate this vulnerability ?
Have you read anything that has been written in this thread? Have you checked what openssl version is used here? (I'm talking about the actual library version, not the filename).
How have you "observed vulnerability"? Again - Nessus "detected" it by checking filename?
I'm all for vulnerability scanning but it should be performed properly, not just "run scanner with default settings and assume every finding is a true positive".
Yeah, the scanner is now primarily complaining about OpenSSL 1.0.2 being EOL (OpenSSL SEoL (1.0.2.x)), which also then means there are associated CVEs.
$ /opt/splunk/bin/splunk cmd openssl version
OpenSSL 1.0.2zi-fips 1 Aug 2023
So this is clearly an outdated version of OpenSSL being shipped with Splunk Enterprise 9.2.0.1
So the question is still valid, why ship splunk with an EOL version of OpenSSL?
If no one from Splunk chimes in with an expected patch date I will put in an official ticket. I would hope that a vulnerability listed as severe would have their full attention by now.
did anybody ever get an answer on this? i can also put a ticket in but im being hounded by security team to get this looked at. nessus is also the tool they're using to complain to us about it.
Tell your security team to obsess over something more relevant.
See the original OpenSSL advisory - https://www.openssl.org/news/secadv/20230719.txt
Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available.
Your security team apparently didn't bother to verify what kind of vulnerability it was or if it was relevant in your situation in the first place. It's just the mechanical "we got a finding from our Nessus, we want to make you to get rid of it with no effort on our side, not even confirm that it's a real finding".
In my case it is a DoD system and the openssl hits reference three nist concerns:
I linked the nist articles, but apparently that isn't allowed. You can search them out if you want to.
These are all considered medium vulnerabilities, except that under DoD the last one, authentication gets bumped up a notch because it is authentication related.
OpenSSL has already addressed them. The question is when will Splunk integrate them into their own install packages. Going back to DoD and saying that it really isn't a big deal and I'm not going to fix it won't fly.
The options are: get a vendor patch, get instructions from the vendor on how to patch it without an update, or update it without vendor support and hope you don't break anything.
Well... if it wasn't for this line, in that advisory:
OpenSSL 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.
I guess I could tell them to focus on real problems... But Nessus complaints about $HOME/lib/libcrypto.so.1.0.0 in both Enterprise and Universal Forwarder - so they might have a right to obsess?
Splunk might not use this old stuff - but why isn't it removed then?
Just because the _file_ is named libssl.so.1.0.0 it doesn't mean that the actual library version is that ancient. It's a naming convention for the linker so if a library with version 1.0.0. is requested, the file is used.
(12:49:37) (splunk@mon1:~)
$ grep -Poa '1\.0\.2\S+' /opt/splunk/lib/libssl.so.1.0.0
1.0.2zg-fips
1.0.2zg-fips
1.0.2zg-fips
1.0.2zg-fips
(12:50:09) (splunk@mon1:~)
$ /opt/splunk/bin/splunk cmd openssl version
OpenSSL 1.0.2zg-fips 7 Feb 2023
(12:50:15) (splunk@mon1:~)
$ cat /opt/splunk/etc/splunk.version
VERSION=9.1.0.2
BUILD=b6436b649711
PRODUCT=splunk
PLATFORM=Linux-x86_64
Which corresponds to https://advisory.splunk.com/advisories/SVD-2023-0613
(same goes for UFs - see https://advisory.splunk.com/advisories/SVD-2023-0614 )
EDIT: Nessus is notorious for flagging hosts as vulnerable only by checking the reported file/package version which is annoying in case of distros which backport fixes into earlier versions (debian stable?). And security teams are notorious for not checking the actual findings 😉
I have the UFW 9.2.0.1 and still got the OpenSSL 1.0.2zi-fips, it's def not the same version you are pointing here. And to be sure I checked runing the splunk cmd openssl version.