Splunk Enterprise 6.5.1 addresses multiple OpenSSL vulnerabilities

Table of Contents

Description

Splunk Enterprise 6.5.1 addresses multiple OpenSSL vulnerabilities. Splunk Enterprise 6.0.13, 6.1.12, 6.2.12, 6.3.8, 6.4.5 also address all vulnerabilities in this advisory. Splunk Enterprise 5.0.x will not be patched for OpenSSL issues. Splunk recommends updating to the latest version of Splunk Enterprise. Please refer to the notes on OpenSSL configuration changes below, in order to fully address all OpenSSL issues.

At the time of this announcement, Splunk is not aware of any cases where these vulnerabilities have been actively exploited. Previous Product Security Announcements can be found on our Splunk Product Security Portal. Use SPL numbers when referencing issues in communication with Splunk. If there is no Common Vulnerabilities and Exposures (CVE) identifier listed with a vulnerability, it will be added once it is assigned by a CVE Numbering Authority. To standardize the calculation of severity scores for each vulnerability, when appropriate, Splunk uses Common Vulnerability Scoring System version 2 (CVSS v2).

Affected Products and Components

  • OpenSSL vulnerabilities including SWEET32 addressed by version upgrade to 1.0.1u and 1.0.2j (SPL-129207)
    • Affected Product Versions: Splunk Enterprise versions 6.0.x before 6.0.13, 6.1.x before 6.1.12, 6.2.x before 6.2.12, 6.3.x before 6.3.8, 6.4.x before 6.4.5, 6.5.0 and Splunk Light versions before 6.5.0.
    • Affected Components: All Splunk Enterprise components
  • Multiple Vulnerabilities in Python (CVE-2016-5636, CVE-2016-5699, CVE-2016-0772) (SPL-128812)
    • Affected Product Versions: Splunk Enterprise versions 6.5.x before 6.5.1, 6.4.x before 6.4.5, 6.3.x before 6.3.8, 6.2.x before 6.2.12, 6.1.x before 6.1.12, 6.0.x before 6.0.13, 5.0.x before 5.0.17 and Splunk Light versions before 6.5.1
    • Affected Components: All Splunk Enterprise components except for Universal Forwarder
    • Unaffected Components: Universal Forwarder

    Mitigation and Upgrades

    To mitigate these issues, Splunk recommends upgrading to the latest release and applying as many of the Hardening Standards from the Securing Splunk documentation as are relevant to your environment. Splunk Enterprise and Splunk Light releases are cumulative, meaning that future releases will contain fixes to these vulnerabilities, new features and other bug fixes.

    Vulnerability Descriptions and Ratings

    OpenSSL vulnerabilities including SWEET32 addressed by version upgrade to 1.0.1u and 1.0.2j (SPL-129207)

    Description: Splunk Enterprise versions 6.0.x before 6.0.13, 6.1.x before 6.1.12, 6.2.x before 6.2.12, 6.3.x before 6.3.8, 6.4.x before 6.3.5, 6.5.0 and Splunk Light versions before 6.5.0 are affected by multiple vulnerabilities in OpenSSL include SWEET32 (1, 2 (SWEET32) , 3, 4, 5, 6, 7, 8, 9, 10, 11). OpenSSL has been upgraded to 1.0.1u or 1.0.2j appropriately to address the vulnerabilities.

    Notes: Splunk Enterprise 5.0.x will not be patched for OpenSSL issues. Splunk recommends updating to the latest version of Splunk Enterprise.

    In order to address the OpenSSL SWEET32, vulnerability, along with the version update, the SSL cipherSuite should be updated on inputs.conf file to remove medium strength ciphers (:Medium:).

    Multiple Vulnerabilities in Python (CVE-2016-5636, CVE-2016-5699, CVE-2016-0772) (SPL-128812)

    Description: Splunk Enterprise versions 6.5.x before 6.5.1, 6.4.x before 6.4.5, 6.3.x before 6.3.8, 6.2.x before 6.2.12, 6.1.x before 6.1.12, 6.0.x before 6.0.13, 5.0.x before 5.0.17 and Splunk Light versions before 6.5.1 are affected by multiple vulnerabilities in Python (1, 2, 3). Python 2.7.12 security fixes were backported.

    Notes: These Python issues were previously incorrectly stated as addressed in Splunk Enterprise 6.4.4 and Splunk Enterprise 6.5.0.