I am checking for the update that if the Splunk application is also exposed to threat due to Vulnerability - Apache Log4j.
Yes, These Splunk Products are impacted:
(in simple, Splunk Enterprise, with Data Federated Search(DFS) feature utilized, is impacted)
| Product | Cloud/On-Prem | Impacted Versions | Fixed Version | Workaround |
| Add-On: Java Management Extensions | Both | 5.2.0 and previous | Pending | TBD |
| Add-On: JBoss | Both | 3.0.0, 2.1.0 | Pending | TBD |
| Add-On: Tomcat | Both | 3.0.0, 2.1.0 | Pending | TBD |
| Data Stream Processor | On-Prem | DSP 1.0.x, DSP 1.1.x, DSP 1.2.x | Pending | TBD |
| IT Essentials Work | Both | 4.11, 4.10.x (Cloud only), 4.9.x | 4.11.1, 4.10.3, additional versions pending for release early this week | TBD |
| IT Service Intelligence (ITSI) | Both | 4.11.0, 4.10.x (Cloud only), 4.9.x, 4.8.x (Cloud only), 4.7.x, 4.6.x, 4.5.x | 4.11.1, 4.10.3, additional versions pending for release early this week | TBD |
| Splunk Connect for Kafka | On-Prem | 2.0.3 | 2.0.4 | Released the patched version on 12/11/21 |
| Splunk Enterprise | On-Prem | All supported non-Windows versions of 8.1.x and 8.2.x only if DFS is used. See Removing Log4j from Splunk Enterprise below for guidance on unsupported versions. | 8.1.7.1, 8.2.3.2 | See Removing Log4j from Splunk Enterprise section below |
| Splunk Enterprise Amazon Machine Image (AMI) | On-Prem | See Splunk Enterprise | Pending | TBD |
| Splunk Enterprise Docker Container | On-Prem | See Splunk Enterprise | Pending | TBD |
| Splunk Logging Library for Java | On-Prem | 1.11.0 | 1.11.1 | TBD |
| Stream Processor Service | Cloud | Current | Pending | TBD |
Please let us know the work around if there is any impact.
Removing Log4j from Splunk Enterprise
If the Splunk Enterprise instance does not leverage DFS, the presence of those libraries does not introduce an active attack vector. Out of an abundance of caution, you may remove the unused jar files from your Splunk Enterprise instances in the following paths:
- $SPLUNK_HOME/bin/jars/vendors/spark
- $SPLUNK_HOME/bin/jars/vendors/libs/splunk-library-javalogging-*.jar
- $SPLUNK_HOME/bin/jars/SplunkMR*
- $SPLUNK_HOME/bin/jars/thirdparty/hive*
- $SPLUNK_HOME/etc/apps/splunk_archiver/java-bin/jars/*
Upon removal of these jar files, an administrator may see errors at Splunk startup pertaining to file integrity, specific to these jar files. These are expected as you are removing these unused jar files as a workaround. These errors may be ignored.
*Since a Splunk Heavyweight Forwarder (HWF) is a full-instance copy of Splunk Enterprise with forwarding enabled, the above mitigation may also be applied to HWF instances.
| makeresults - If this reply helped you, a karma point would be appreciated, thanks.
