Splunk Enterprise

threat Sharing Report: CVE-2021-44228: Apache Log4j RCE

sauravkumar702
Observer

Hi Team,

 

I am checking for the update that if the Splunk application is also exposed to threat due to Vulnerability -  Apache Log4j. 

Please let us know the work around if there is any impact.

Thanks

User

Labels (2)
0 Karma

inventsekar
SplunkTrust
SplunkTrust

I am checking for the update that if the Splunk application is also exposed to threat due to Vulnerability -  Apache Log4j.

 Yes, These Splunk Products are impacted:
(in simple, Splunk Enterprise, with Data Federated Search(DFS) feature utilized, is impacted)

ProductCloud/On-PremImpacted VersionsFixed VersionWorkaround
Add-On: Java Management ExtensionsBoth5.2.0 and previousPendingTBD
Add-On: JBossBoth3.0.0, 2.1.0PendingTBD
Add-On: TomcatBoth3.0.0, 2.1.0PendingTBD
Data Stream ProcessorOn-PremDSP 1.0.x, DSP 1.1.x, DSP 1.2.xPendingTBD
IT Essentials WorkBoth4.11, 4.10.x (Cloud only), 4.9.x4.11.1, 4.10.3, additional versions pending for release early this weekTBD
IT Service Intelligence (ITSI)Both4.11.0, 4.10.x (Cloud only), 4.9.x, 4.8.x (Cloud only), 4.7.x, 4.6.x, 4.5.x4.11.1, 4.10.3, additional versions pending for release early this weekTBD
Splunk Connect for KafkaOn-Prem2.0.32.0.4Released the patched version on 12/11/21
Splunk EnterpriseOn-PremAll supported non-Windows versions of 8.1.x and 8.2.x only if DFS is used. See Removing Log4j from Splunk Enterprise below for guidance on unsupported versions.8.1.7.1, 8.2.3.2See Removing Log4j from Splunk Enterprise section below
Splunk Enterprise Amazon Machine Image (AMI)On-PremSee Splunk EnterprisePendingTBD
Splunk Enterprise Docker ContainerOn-PremSee Splunk EnterprisePendingTBD
Splunk Logging Library for JavaOn-Prem1.11.01.11.1TBD
Stream Processor ServiceCloudCurrentPendingTBD

 

Please let us know the work around if there is any impact.

Removing Log4j from Splunk Enterprise

If the Splunk Enterprise instance does not leverage DFS, the presence of those libraries does not introduce an active attack vector. Out of an abundance of caution, you may remove the unused jar files from your Splunk Enterprise instances in the following paths:

  • $SPLUNK_HOME/bin/jars/vendors/spark
  • $SPLUNK_HOME/bin/jars/vendors/libs/splunk-library-javalogging-*.jar
  • $SPLUNK_HOME/bin/jars/SplunkMR*
  • $SPLUNK_HOME/bin/jars/thirdparty/hive*
  • $SPLUNK_HOME/etc/apps/splunk_archiver/java-bin/jars/*

Upon removal of these jar files, an administrator may see errors at Splunk startup pertaining to file integrity, specific to these jar files. These are expected as you are removing these unused jar files as a workaround. These errors may be ignored. 

*Since a Splunk Heavyweight Forwarder (HWF) is a full-instance copy of Splunk Enterprise with forwarding enabled, the above mitigation may also be applied to HWF instances.

 

| makeresults  - If this reply helped you, a karma point would be appreciated, thanks. 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The blog posting at https://www.splunk.com/en_us/blog/bulletins/splunk-security-advisory-for-apache-log4j-cve-2021-44228... should answer your question.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...