Hi Splunk users,
Last Monday, we became aware of a new set of vulnerabilities announced in OpenSSL. We have reviewed the issues, and have determined that we must update the version of OpenSSL we currently ship to address these issues.
Note: Not all the listed issues are of concern for Splunk. For example, we do not use DTLS. However, “SSL/TLS MITM vulnerability (CVE-2014-0224)” is relevant to Splunk and should be addressed.
We have now posted the following releases containing the fixed version of OpenSSL:
- 5.0.9 – This release contains only the OpenSSL update.
- 6.0.5 – This release contains a number of fixes including the OpenSSL update.
- 6.1.2 – This release contains one fix in addition to the OpenSSL update.
More than 2 dozen platform and version combinations were built and tested to deliver these releases. Our goal is to provide you with a high-quality product, and achieving this takes time. We appreciate your patience.
What versions of Splunk are affected?
- Splunk Enterprise products (including universal forwarders) versions 5.0.x, 6.0.x, and 6.1.x. are affected.
- Version 4.3.x is affected, but is no longer officially supported. A fixed version will not be released for 4.3.x.
- Splunk Storm and Splunk Cloud are affected, and will be updated.
Splunk.com was affected and has also been patched.
What is the potential impact of “SSL/TLS MITM vulnerability (CVE-2014-0224) in my Splunk environment?
This issue means that traffic between instances of Splunk (any traffic other than “browser <=> Splunk Web” traffic) is vulnerable to a “man-in-the-middle” attack where the attacker can decrypt and hijack the connection completely between the attacked client and server. Also, if you never replaced the default self-signed certificates included with Splunk, you are no more exposed than you were before this vulnerability was announced. However, we always recommend that all Splunk deployments be secured with new certificates. For more information on securing Splunk with SSL certificates, refer “About securing Splunk with SSL” in the Securing Splunk manual, as well as this timely blog post by Splunk Security team member Jose Hernandez: “Generating Elliptical Curve Certs for Splunk“.
Traffic between Splunk and Splunk-supported browsers (Internet Explorer, Firefox, Chrome on Desktop, Safari) is not affected as they do not use OpenSSL and this vulnerability requires both server and client to be using vulnerable version of OpenSSL.
What happens next?
We have updated the version of OpenSSL used by Splunk Enterprise and are now in the process of building and testing Splunk on more than 2 dozen platform and version combinations. We understand that this is an important update, and are working as fast as we can to deliver a quality release to you. We expect to release the following versions of Splunk Enterprise as maintenance releases the week of June 30th:
The version of OpenSSL used by Splunk Storm and Splunk Cloud will be updated soon. I will update this post with specifics when we have them, as well as with any updates on the delivery schedule mentioned above.