Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

log4j exploit - how do I remedy?

Branden
Builder
‎02-06-2026 11:47 AM

Hello! A recent security scan of our environment has discovered two instances of log4j in our Splunk Enterprise environment (v9.4.2) that have a known "medium" vulnerability. The log4j instances are found in

  • "etc/apps/splunk_archiver/java-bin/jars/thirdparty/common/log4j-core-2.17.2.jar"
  • "bin/jars/thirdparty/common/log4j-core-2.17.2.jar"

Based on the release notes, this vulnerability is not addressed in any 9.4.x release, up to 9.4.8. And there are no app updates available. 

Do we have any options to remedy this? I'm guessing a manual update of log4j would be ill-advised, as my change would simply be overwritten if/when the app is updated. 

If anyone has any suggestions, they are greatly appreciated.

Thank you!

 

 

 

 

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kknairr
Contributor
‎02-06-2026 11:33 PM

@Branden - We also had a similar situation, if this a new vulnerability like CVE is posted recently by your Vulnerability scanner, then we have to wait for Splunk's "Third-Party Package Updates in Splunk Enterprise - February", mostly will be releasing in coming weeks which will cover the solution or workarounds to be applied for third party packages. Meantime, you can do the below things :

  • Assess the vulnerability details with your security team to assess the applicability of this risk to your Splunk setup. Understand the risk, impact and clarify your security setup in Splunk deployment.
  • Gather the CVE details, when it got released, based on that information you can check in Splunk advisory for past SVDs for older CVEs which will give you mitigation measures.
  • Raise a Splunk support case with the CVE details, scan findings (very important) for further assistance.

Hope this helps. 


Marking the answer and giving Karma helps others find solutions faster.

 

View solution in original post

Reply
Solved! Jump to solution
Solution

kknairr
Contributor
‎02-06-2026 11:33 PM

@Branden - We also had a similar situation, if this a new vulnerability like CVE is posted recently by your Vulnerability scanner, then we have to wait for Splunk's "Third-Party Package Updates in Splunk Enterprise - February", mostly will be releasing in coming weeks which will cover the solution or workarounds to be applied for third party packages. Meantime, you can do the below things :

  • Assess the vulnerability details with your security team to assess the applicability of this risk to your Splunk setup. Understand the risk, impact and clarify your security setup in Splunk deployment.
  • Gather the CVE details, when it got released, based on that information you can check in Splunk advisory for past SVDs for older CVEs which will give you mitigation measures.
  • Raise a Splunk support case with the CVE details, scan findings (very important) for further assistance.

Hope this helps. 


Marking the answer and giving Karma helps others find solutions faster.

 

Reply
Solved! Jump to solution

Branden
Builder
‎02-23-2026 11:12 AM

Thank you, this is exactly what I need to know. 

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-06-2026 01:02 PM

Go to https://advisory.splunk.com/ and look up the CVE reported by your scanner to see what Splunk says about it.  There is a log4j advisory from 2021, but it may not apply to recent versions of Splunk.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...