Security

Why is OPENSSL vulnerability still showing in latest release?

tsondo
Explorer

Greetings,

We started seeing OPSNSSL vulnerabilities on all of our Splunk forwarders and the main engine this week. The advisory tells us we must use OPENSSL 3.0.8 or newer. Since OPENSSL is now on 3.1.2, I really thought the latest Splunk updates would fix the problem. I have just updated all forwarders to 9.1.0.1 and the main engine to 9.1.0.2, and it is now showing OPENSSL at 3.0.7. When will Splunk issue an update to address this and get OPENSSL to at least 3.0.8? 

Labels (1)
Tags (1)
0 Karma

wipark
Loves-to-Learn Lots

I am not particularly concerned about the vulnerability right now. But this old OpenSSL version is causing problems when I try to develop new apps. I know it might not be a Splunk problem. urllib3 v2 is a dependency of a package that I need to use. As I understand this version of OpenSSL is not supported by the library or newer version of Python.

The error message is:

 

 

urllib3 v2 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with 'OpenSSL 1.0.2zi-fips 1 Aug 2023'. See: https://github.com/urllib3/urllib3/issues/2168

 

 

0 Karma

tsondo
Explorer

I found an answer for this. If you check out openssl.org, the version is not actually EOL for PREMIUM customers, which Splunk is. An annotation in the findings checklist should suffice.

Hope that helps.

fatsug
Contributor

Sure, that allows me to snooze the alert. How can I validate this information, is this documented somewhere?

0 Karma

tsondo
Explorer

As I said, go to openssl.org. The information is there.

 
0 Karma

fatsug
Contributor

Yes and no. I guess my question could have been a bit more concrete and clear.

It does list the details regarding premium services ([ Contracts ] - /support/contracts.html (openssl.org)) inkluding LTS for 1.0.2.

But it does not list any premium customers. I'm struggling to validate that the LTS versions is what is shipped with Splunk. I have not found  information documenting this as a fact by Splunk representatives yet.

If you can point me to the documentation regaring Splunk being a premium customer I'd appreciate it very much. Then I have something to lean on while ignoring the alerts 🙂

0 Karma

tsondo
Explorer

Ok, that's what was missing! So I deduced it from the following information:

From OpenSSL.Org:

****

OpenSSL 1.0.2 is out of support since 1st January 2020 and is no longer receiving updates. Extended support is available from OpenSSL Software Services for premium support customers.

CVE-2024-0727 - Fixed in OpenSSL 1.0.2zj (premium support) (Affected since 1.0.2)

****

Since only premium customers get 1.0.2.zj, and Splunk has it, they are therefore a Premium customer.

fatsug
Contributor

👍Which also explains why the "z" version was not available for download 🙂

Well, then all is well that ends well I suppose! Thank you for both help and clarification, much appreciated!

0 Karma

psjostedt
New Member

The problem here may be that splunk is not releasing the updated libraries for libssl and libcrypto up through the 9.3.1 release now that the vulnerabilities are being flagged to "zk"

0 Karma

fatsug
Contributor

So it is now flagged to include "z" versions of OpenSSL, meaning that all prior and current versions were and are indeed affected?

Could you provide a link to the supporting information?

0 Karma

ClausBom
Explorer

I'm getting punked for this from our Vuln.mgt team too. They refer to a " CVE-2023-3446 - OpenSSL 1.0.2 < 1.0.2zi Vulnerability". 
Apparently, there's a file '/opt/splunk/lib/libcrypto.so.1.0.0' that existed for years, that all of a sudden is a problem to Nessus - but I can't find anything about it from Splunk?

I just tried to do an upgrade all the way from 6.5.2 to 9.1.0.2, but nothing changes - except the timestamp on the file.

0 Karma

mp1
New Member

yes, still we observed vulnerability  openssl libraries files having 1.0.2zi FIPS with latest SplunkForwarder 9.2.0.1 as below.

# cat /opt/splunkforwarder/etc/splunk.version
VERSION=9.2.0.1
BUILD=d8ae995bf219
PRODUCT=splunk
PLATFORM=Linux-x86_64

Library files

r-xr-xr-x. 1 splunk splunk 475784 Feb 7 00:48 libssl.so.1.0.0

r-xr-xr-x. 1 splunk splunk 2996816 Feb 7 00:48 libcrypto.so.1.0.0

How to mitigate this vulnerability ?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Have you read anything that has been written in this thread? Have you checked what openssl version is used here? (I'm talking about the actual library version, not the filename).

How have you "observed vulnerability"? Again - Nessus "detected" it by checking filename?

I'm all for vulnerability scanning but it should be performed properly, not just "run scanner with default settings and assume every finding is a true positive".

0 Karma

fatsug
Contributor

Yeah, the scanner is now primarily complaining about OpenSSL 1.0.2 being EOL (OpenSSL SEoL (1.0.2.x)), which also then means there are associated CVEs.

$ /opt/splunk/bin/splunk cmd openssl version
OpenSSL 1.0.2zi-fips 1 Aug 2023

So this is clearly an outdated version of OpenSSL being shipped with Splunk Enterprise 9.2.0.1

So the question is still valid, why ship splunk with an EOL version of OpenSSL?

 

 

0 Karma

tsondo
Explorer

If no one from Splunk chimes in with an expected patch date I will put in an official ticket. I would hope that a vulnerability listed as severe would have their full attention by now.

0 Karma

josh_beverly
Explorer

did anybody ever get an answer on this? i can also put a ticket in but im being hounded by security team to get this looked at. nessus is also the tool they're using to complain to us about it.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Tell your security team to obsess over something more relevant.

See the original OpenSSL advisory - https://www.openssl.org/news/secadv/20230719.txt

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available.

Your security team apparently didn't bother to verify what kind of vulnerability it was or if it was relevant in your situation in the first place. It's just the mechanical "we got a finding from our Nessus, we want to make you to get rid of it with no effort on our side, not even confirm that it's a real finding".

0 Karma

tsondo
Explorer

In my case it is a DoD system and the openssl hits reference three nist concerns:

CVE-2023-2975 

CVE-2023-3446 

CVE-2023-3817 

I linked the nist articles, but apparently that isn't allowed. You can search them out if you want to.

These are all considered medium vulnerabilities, except that under DoD the last one, authentication gets bumped up a notch because it is authentication related.

OpenSSL has already addressed them. The question is when will Splunk integrate them into their own install packages. Going back to DoD and saying that it really isn't a big deal and I'm not going to fix it won't fly.

The options are: get a vendor patch, get instructions from the vendor on how to patch it without an update, or update it without vendor support and hope you don't break anything.

0 Karma

ClausBom
Explorer

Well... if it wasn't for this line, in that advisory: 

OpenSSL 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

I guess I could tell them to focus on real problems... But Nessus complaints about $HOME/lib/libcrypto.so.1.0.0 in both Enterprise and Universal Forwarder - so they might have a right to obsess?
Splunk might not use this old stuff - but why isn't it removed then?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Just because the _file_ is named libssl.so.1.0.0 it doesn't mean that the actual library version is that ancient. It's a naming convention for the linker so if a library with version 1.0.0. is requested, the file is used.

(12:49:37) (splunk@mon1:~)
$ grep -Poa '1\.0\.2\S+' /opt/splunk/lib/libssl.so.1.0.0
1.0.2zg-fips
1.0.2zg-fips
1.0.2zg-fips
1.0.2zg-fips
(12:50:09) (splunk@mon1:~)
$ /opt/splunk/bin/splunk cmd openssl version
OpenSSL 1.0.2zg-fips 7 Feb 2023
(12:50:15) (splunk@mon1:~)
$ cat /opt/splunk/etc/splunk.version
VERSION=9.1.0.2
BUILD=b6436b649711
PRODUCT=splunk
PLATFORM=Linux-x86_64

Which corresponds to https://advisory.splunk.com/advisories/SVD-2023-0613

(same goes for UFs - see https://advisory.splunk.com/advisories/SVD-2023-0614 )

 

EDIT: Nessus is notorious for flagging hosts as vulnerable only by checking the reported file/package version which is annoying in case of distros which backport fixes into earlier versions (debian stable?). And security teams are notorious for not checking the actual findings 😉

TarnishedMalwar
Loves-to-Learn

I have the UFW 9.2.0.1 and still got the OpenSSL 1.0.2zi-fips, it's def not the same version you are pointing here. And to be sure I checked runing the splunk cmd openssl version. 

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...