Table of Contents
Splunk has completed initial review of the January 2015 OpenSSL security advisory. In March 2015, one of the included vulnerabilities was documented as the Freak attack. Please review specific product responses for further information on affected Splunk products. Splunk will update this advisory as additional information becomes available. Due to the volume of products and vulnerabilities in this advisory, CVSS numbers are not included. All issues referenced in this advisory are currently believed to be low severity.
At the time of this announcement, Splunk is not aware of any cases where these vulnerabilities have been actively exploited. Previous Product Security Announcements can be found on our Splunk Product Security Portal. Use SPL numbers when referencing issues in communication with Splunk. If there is no CVE Identifier listed with a vulnerability, it will be added once it is assigned by a CVE Numbering Authority. To standardize the calculation of severity scores for each vulnerability, when appropriate, Splunk uses Common Vulnerability Scoring System version 2.
Description: Splunk has reviewed Enterprise 6.2.x, 6.1.x, 6.0.x, and 5.0.x, and reviewed the release of OpenSSL 1.0.1k and OpenSSL 0.9.8zd. OpenSSL will be upgraded in conjunction with upcoming Splunk Enterprise releases.
Splunk Enterprise and Hunk do not use DTLS and are not affected by these vulnerabilities.
Splunk Enterprise and Hunk are not affected.
This vulnerability could enable an attacker to remove ephemeral keys support anywhere Splunk Enterprise, Hunk, or Splunk Apps act as a TLS client. The vulnerability only impacts environments where certificate validation is enabled and cipherSuites have been restricted to ECDHE. ECDH encryption is still considered strong and does not present an immediate risk.
This vulnerability is also known as the Freak attack. This vulnerability enables a man-in-the middle attacker to degrade session security. Splunk Web, Indexer, and splunkd management do not support EXPORT ciphers.
Splunk 6.2.2 was released addressing upgrading OpenSSL upgrades for this issue. OpenSSL upgrades will be part of upcoming maintenance releases for Splunk 6.1.x, 6.0.x, and 5.0.x.
Per the OpenSSL advisory, attacks involving private keys are not able to be controlled by attackers and it is believed to be a non-issue on Splunk Enterprise and Hunk.
Description: Hunk currently plans to upgrade OpenSSL service components in a future release and work with customers on the deployment of upgraded Universal Forwarders. For further detailed component information, please see Splunk Enterprise response.
Description: Splunk Cloud currently plans to upgrade OpenSSL in service components and work with customers on the deployment of upgraded Universal Forwarders. For further information regarding forwarder components, please see Splunk Enterprise response.
Description: Splunk MINT is not directly impacted by these vulnerabilities. The Splunk MINT SDK leverages mobile-device specific SSL libraries that may be affected. Splunk MINT will be applying infrastructure patches during regularly scheduled maintenance.
Description: Splunk App for VMware has performed initial triage. None of the published OpenSSL vulnerabilities pose an immediate risk to customer environments. A future release of Splunk App for VMware will address these vulnerabilities.
Description: Splunk App for NetApp Data ONTAP has performed initial triage. None of the published OpenSSL vulnerabilities pose an immediate risk to customer environments. Splunk App for NetApp Data ONTAP leverages OpenSSL shipped with Splunk Enterprise. For further information, please review Splunk Enterprise response.