Splunk Enterprise

When will Splunk address the OpenSSL vulnerability issue (CVE-2016-2107; OpenSSL <1.0.2h)?

dwhill
New Member

Splunk 6.4.1 is linked against OpenSSL 1.0.2g which has a security flaw (CVE-2016-2107). When will Splunk with fixed OpenSSL (1.0.2h) be available?

0 Karma

tchimento_splun
Splunk Employee
Splunk Employee

Our next maintenance release will include the 1.0.2h version.

dewald13
Path Finder

6.4.2 is now released and looks to still have 1.0.2g.............still not fixed

0 Karma

tchimento_splun
Splunk Employee
Splunk Employee

Exactly what did you download and from where? We just confirmed that 6.4.2 is using OpenSSL 1.0.2h for both Linux and for Windows.

0 Karma

dewald13
Path Finder

I was looking here http://docs.splunk.com/Documentation/Splunk/6.4.2/ReleaseNotes/OpenSSL which states 6.4.2 still has v1.0.2g. But I did install last night and you are correct, it is running 1.0.2h

thanks for the quick response

0 Karma

jfeitosa
Path Finder

I have the same problem, and other vulnerabilities found in communication between the Universal Forwarder and Splunk Manager.

Does anyone know how to mitigate these vulnerabilities? Force use TLS? How do correctly?

Tks

0 Karma

tchimento_splun
Splunk Employee
Splunk Employee

We are targeting the release for the second or third week of July. All such release dates may change if unanticipated issues arise.

0 Karma

dwhill
New Member

When is the next maintenance release scheduled for?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...