Splunk response to "GHOST" Vulnerability (CVE-2015-0235)

Advisory ID: SP-CAAANVJ

CVE ID: CVE-2015-0235

Published: 2015-01-28

Last Update: 2015-01-29

CVSSv3.1 Score: -, High

CVSSv3.1 Vector: -

CWE: -

Bug ID: -

Description

Splunk has completed initial investigations regarding the GHOST/CVE-2015-0235 glibc vulnerability. No high severity impacts to Splunk products were identified in the course of investigation.

  • Splunk Enterprise
  • Hunk
  • Splunk Cloud
  • Splunk MINT
  • Splunk App for VMware

At the time of this announcement, Splunk is not aware of any cases where these vulnerabilities have been actively exploited. Previous Product Security Announcements can be found on our Splunk Product Security Portal. Use SPL numbers when referencing issues in communication with Splunk. If there is no CVE Identifier listed with a vulnerability, it will be added once it is assigned by a CVE Numbering Authority. To standardize the calculation of severity scores for each vulnerability, when appropriate, Splunk uses Common Vulnerability Scoring System version 2.

Affected Products and Components

  • Splunk Enterprise
    • Affected versions: All versions of Splunk Enterprise 6.2.x, 6.1.x, 6.0.x, and 5.0.x running on Linux.
    • This does affect: Search heads, indexers, deployment servers, universal forwarders.
  • Hunk
    • Affected versions: All versions of Hunk 6.2.x, 6.1.x, 6.0.x.
  • Splunk Cloud
    • Affected service: Splunk Cloud will complete updates January 28, 2015.
  • Splunk MINT
    • Affected service: Splunk MINT completed updates as of January 27, 2015.
  • Splunk App for VMware
    • Affected versions: Splunk App for VMware versions 3.1.3 or earlier.

Mitigation and Upgrades

Splunk Enterprise

Splunk strongly recommends upgrading glibc per operating system vendor instructions.

Hunk

Splunk strongly recommends upgrading glibc per operating system vendor instructions.

Splunk Cloud

No customer action required.

Splunk MINT

No customer action required.

Splunk App for VMware

Splunk recommends upgrading glibc per operating system vendor instructions. Please review Splunk App for VMware for further details.

Vulnerability Descriptions and Ratings

Splunk Enterprise

Description: Splunk Enterprise versions 6.2.x, 6.1.x, 6.0.x, and 5.0.x are not directly vulnerable to the Linux glibc vulnerability. It is possible that third-party add-ons do involve vulnerable calls to gethostbyname().

Splunk strongly recommends customers apply relevant operating system updates.

Hunk

Description: Hunk is not directly vulnerable to the Linux glibc vulnerability. It is possible that third-party add-ons do invoke vulnerable calls to gethostbyname().

Splunk strongly recommends customers apply relevant operating system updates.

Splunk Cloud

Description: Splunk Cloud plans to complete precautionary infrastructure updates on January 28, 2015.

Splunk MINT

Description: Splunk MINT completed precautionary infrastructure updates on January 27, 2015.

Splunk App for VMware

Description: Splunk App for VMware 3.1.3 and prior include a vulnerable virtual appliance. No direct exploit vector has been identified. Customers wishing to address this vulnerability are encouraged to deploy the data collection node on user-maintained virtual machines per create a data collection node instructions.

Document History

  • 2015-Jan-28: Rev 1. Initial Release
  • 2015-Jan-29: Rev 2. Added link to CVE website