Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

OpenSSL < 1.0.2zk vulnerability on Splunk 9.2.2

RSI_Indosuez
Engager
‎09-09-2024 05:42 AM

Hello,

I just upgraded my Splunk Enterprise from 9.2.1 to 9.2.2, and I saw that the OpenSSL used is in version 1.0.2zj.

This version is vulnerable to the CVE-2024-5535 critical vulnerability.

Is there a future patch for Splunk Enterprise 9.2.x which upgrades the embedded OpenSSL ?

Best regards, LAIRES Jordan

Labels (1)
Labels
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-10-2024 12:36 AM

1. Just because an app reports a particular version of a library, doesn't mean that it's not been patched (see debian and its backporting practice).

2. This particular vulnerability is far from critical.

"However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application. "

Don't believe everything Nessus/Rapid7/OpenVAS/whatever says.

0 Karma
Reply

dglass0215
Path Finder
‎10-31-2024 08:11 AM

Unfortunately it is not that simple.  It has nothing to do with "believing" everything Nessus says.  If Nessus reports a vulnerability we have 7 days to address a critical, or 30 days to address a Medium.  If not addressed within 30 days then we need to open a POA&M with specific details as to why we are not compliant/what are we doing to fix and/or mitigate the issue.  And this still counts against us when trying to keep an active ATO.  So the OP's question is still valid.  When will we see an update that addresses this vulnerability?  So at a bare minimum we can be compliant with our documentation. 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-31-2024 01:49 PM

In other words, you do believe what your scanner says. Just because someone decided that something is "critical" doesn't automatically mean it is. If your VM process doesn't have a possibility for flagging a false positive or adjusting the criticality, it's simply a bad process. Every reasonable VM process has vulnerability assessment after the scan phase. If you're jumping straight into remediation, you're simply taking shortcuts and doing checkbox security. Don't take it personally, I'm not saying you are responsible for the process design. It's just that you might or might not see a vulnerability which in reality is not there "fixed".

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...