Splunk Enterprise

threat Sharing Report: CVE-2021-44228: Apache Log4j RCE

sauravkumar702
Observer

Hi Team,

 

I am checking for the update that if the Splunk application is also exposed to threat due to Vulnerability -  Apache Log4j. 

Please let us know the work around if there is any impact.

Thanks

User

Labels (2)
0 Karma

inventsekar
SplunkTrust
SplunkTrust

I am checking for the update that if the Splunk application is also exposed to threat due to Vulnerability -  Apache Log4j.

 Yes, These Splunk Products are impacted:
(in simple, Splunk Enterprise, with Data Federated Search(DFS) feature utilized, is impacted)

ProductCloud/On-PremImpacted VersionsFixed VersionWorkaround
Add-On: Java Management ExtensionsBoth5.2.0 and previousPendingTBD
Add-On: JBossBoth3.0.0, 2.1.0PendingTBD
Add-On: TomcatBoth3.0.0, 2.1.0PendingTBD
Data Stream ProcessorOn-PremDSP 1.0.x, DSP 1.1.x, DSP 1.2.xPendingTBD
IT Essentials WorkBoth4.11, 4.10.x (Cloud only), 4.9.x4.11.1, 4.10.3, additional versions pending for release early this weekTBD
IT Service Intelligence (ITSI)Both4.11.0, 4.10.x (Cloud only), 4.9.x, 4.8.x (Cloud only), 4.7.x, 4.6.x, 4.5.x4.11.1, 4.10.3, additional versions pending for release early this weekTBD
Splunk Connect for KafkaOn-Prem2.0.32.0.4Released the patched version on 12/11/21
Splunk EnterpriseOn-PremAll supported non-Windows versions of 8.1.x and 8.2.x only if DFS is used. See Removing Log4j from Splunk Enterprise below for guidance on unsupported versions.8.1.7.1, 8.2.3.2See Removing Log4j from Splunk Enterprise section below
Splunk Enterprise Amazon Machine Image (AMI)On-PremSee Splunk EnterprisePendingTBD
Splunk Enterprise Docker ContainerOn-PremSee Splunk EnterprisePendingTBD
Splunk Logging Library for JavaOn-Prem1.11.01.11.1TBD
Stream Processor ServiceCloudCurrentPendingTBD

 

Please let us know the work around if there is any impact.

Removing Log4j from Splunk Enterprise

If the Splunk Enterprise instance does not leverage DFS, the presence of those libraries does not introduce an active attack vector. Out of an abundance of caution, you may remove the unused jar files from your Splunk Enterprise instances in the following paths:

  • $SPLUNK_HOME/bin/jars/vendors/spark
  • $SPLUNK_HOME/bin/jars/vendors/libs/splunk-library-javalogging-*.jar
  • $SPLUNK_HOME/bin/jars/SplunkMR*
  • $SPLUNK_HOME/bin/jars/thirdparty/hive*
  • $SPLUNK_HOME/etc/apps/splunk_archiver/java-bin/jars/*

Upon removal of these jar files, an administrator may see errors at Splunk startup pertaining to file integrity, specific to these jar files. These are expected as you are removing these unused jar files as a workaround. These errors may be ignored. 

*Since a Splunk Heavyweight Forwarder (HWF) is a full-instance copy of Splunk Enterprise with forwarding enabled, the above mitigation may also be applied to HWF instances.

 

| makeresults  - If this reply helped you, a karma point would be appreciated, thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The blog posting at https://www.splunk.com/en_us/blog/bulletins/splunk-security-advisory-for-apache-log4j-cve-2021-44228... should answer your question.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...