Splunk and the Heartbleed SSL vulnerability

(Update: we’ve posted a fix for this issue, see

Dear Splunk users,

As you’re likely aware, a significant vulnerability in OpenSSL, which the security community is calling the “Heartbleed” vulnerability, was discovered and publicized earlier this week. This is not a bug in code that Splunk produced, but rather in a component of a package that is in common use throughout the software industry.

The purpose of this blog post is to inform you about what Splunk is doing to address this issue.   For more detailed information about the vulnerability itself, refer to

Here’s what you need to know:

What versions of Splunk are affected?

  • Splunk Enterprise versions 6.0, 6.0.1, and 6.0.2 are affected. This includes all indexers, search heads, forwarders, deployment servers, and license servers for these versions. No other versions of Splunk Enterprise are affected. 
  •  Splunk Storm and Splunk Cloud were affected, but have been secured.

What is Splunk doing about it?

We are currently QA testing our fix for Splunk Enterprise, but it is taking a while because our product is complex, multi-platform, and this fix has significant potential impact within our product. We want to make sure we deliver a quality product fix to you.

We’ll be making a 6.0.3 version (with just this fix in it) available, then follow that with patches for 6.0-6.0.2. This means you will have a choice as to whether you want to upgrade or patch. We of course recommend that you upgrade to the latest version, as well as review the content in our “Securing Splunk” manual about hardening your Splunk deployment.

How am I impacted?

The great majority of Splunk deployments are behind firewalls and/or require VPN access, and so do not have a high level of exposure as a result of this vulnerability.  If your Splunk deployment allows access from outside your firewall or VPN, you are exposed and could be impacted by this vulnerability.

What happens next?

We will make an announcement on our Security Portal within the next few days when we have completed our testing and posted the fix. You can watch for an announcement there via RSS.

rachel perkins

Posted by