Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do Splunk releases integrate security patches for dependent libraries?

dwaddle
SplunkTrust
SplunkTrust
‎09-10-2010 02:25 AM

Splunk includes as part of its own installation several other dependent packages, like:

  • OpenSSL
  • Python
  • CherryPy
  • zlib
  • libbz2
  • pcre

Each of these will occasionally have fixes come out that are security related. How does the Splunk team handle this? (Eg, each new splunk release always has the 'latest' versions of dependencies, security patches to dependencies get backported, or something else?) When a dependency has been updated to resolve a security issue, is this documented in the release notes?

Without bugging support all of the time, how do we know whether or not our Splunk installations are vulnerable to problems in these dependent libraries?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎09-13-2010 08:52 PM

Hi dwaddle,

We have a software security group that works with our principal engineers to monitor, triage, and implement new versions of our dependencies.

We keep an eye on our dependencies using various methods, both manual (e.g reading full-disclosure and other mailing lists) and automated (e.g. RSS feeds into Splunk). When a new release is announced (security-specific or otherwise), we will open a requirement to investigate and potentially implement the new version of the dependency.

We will then triage the new release of the dependency in question to see if the fixes contained within are even applicable to the subset of the dependency code that we ship with Splunk. Take the most recent OpenSSL vulnerability announcement as documented at http://www.openssl.org/news/secadv_20100601.txt: neither of these issues apply to the version of OpenSSL that ships with Splunk, as we do not compile with the CMS code and are not on version 1.0.0.

From there, we analyze the risk of the particular vulnerability and determine how soon we need to implement the fix. If the risk and impact of exploitation are extremely high, we might issue a maintenance release just for this issue just as we would with a high-risk, high-impact vulnerability in our proprietary code.

Similarly, we have to consider the implications of implementing a new version of a dependency from a stability and portability point of view, both before we commit to the change as well as during the certification process. Thus, we won't always have the "latest, greatest" version of our dependencies, but trust me, it is not because we are lazy or ignorant!

When appropriate, we do note dependency changes in the release notes. Take the following example from http://www.splunk.com/base/Documentation/4.0.7/ReleaseNotes/4.0.7:

Splunk's implementation of openssl has been updated to fix the CVE-2009-3555 vulnerability. (SPL-27483)

If you want to know about what specific versions we use, I wish I could say that you can use the "Credits" section in the release notes, but it appears that we are not sufficiently specific about the version. I will work on getting that information up to date.

I should also point you to our product security portal, which contains all vulnerability announcements, policies, best practices, and submission process:

http://www.splunk.com/page/securityportal/

(We also have an RSS feed for it at http://www.splunk.com/page/securityportal/rss)

-araitz

View solution in original post

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎09-13-2010 08:52 PM

Hi dwaddle,

We have a software security group that works with our principal engineers to monitor, triage, and implement new versions of our dependencies.

We keep an eye on our dependencies using various methods, both manual (e.g reading full-disclosure and other mailing lists) and automated (e.g. RSS feeds into Splunk). When a new release is announced (security-specific or otherwise), we will open a requirement to investigate and potentially implement the new version of the dependency.

We will then triage the new release of the dependency in question to see if the fixes contained within are even applicable to the subset of the dependency code that we ship with Splunk. Take the most recent OpenSSL vulnerability announcement as documented at http://www.openssl.org/news/secadv_20100601.txt: neither of these issues apply to the version of OpenSSL that ships with Splunk, as we do not compile with the CMS code and are not on version 1.0.0.

From there, we analyze the risk of the particular vulnerability and determine how soon we need to implement the fix. If the risk and impact of exploitation are extremely high, we might issue a maintenance release just for this issue just as we would with a high-risk, high-impact vulnerability in our proprietary code.

Similarly, we have to consider the implications of implementing a new version of a dependency from a stability and portability point of view, both before we commit to the change as well as during the certification process. Thus, we won't always have the "latest, greatest" version of our dependencies, but trust me, it is not because we are lazy or ignorant!

When appropriate, we do note dependency changes in the release notes. Take the following example from http://www.splunk.com/base/Documentation/4.0.7/ReleaseNotes/4.0.7:

Splunk's implementation of openssl has been updated to fix the CVE-2009-3555 vulnerability. (SPL-27483)

If you want to know about what specific versions we use, I wish I could say that you can use the "Credits" section in the release notes, but it appears that we are not sufficiently specific about the version. I will work on getting that information up to date.

I should also point you to our product security portal, which contains all vulnerability announcements, policies, best practices, and submission process:

http://www.splunk.com/page/securityportal/

(We also have an RSS feed for it at http://www.splunk.com/page/securityportal/rss)

-araitz

Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎09-13-2010 09:05 PM

Excellent - exactly what I was looking for

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...