Splunk Enterprise response to January 2015 OpenSSL vulnerabilities
Description: Splunk has reviewed Enterprise 6.2.x, 6.1.x, 6.0.x, and 5.0.x, and reviewed the release of OpenSSL 1.0.1k and OpenSSL 0.9.8zd. OpenSSL will be upgraded in conjunction with upcoming Splunk Enterprise releases.
CVE-2014-3571, CVE-2015-0206 - DTLS Issues
Splunk Enterprise and Hunk do not use DTLS and are not affected by these vulnerabilities.
CVE-2014-3569 - no-ssl3 configuration sets method to NULL
Splunk Enterprise and Hunk are not affected.
CVE-2014-3572 - ECDHE silently downgrades to ECDH (client-only)
This vulnerability could enable an attacker to remove ephemeral keys support anywhere Splunk Enterprise, Hunk, or Splunk Apps act as a TLS client. The vulnerability only impacts environments where certificate validation is enabled and cipherSuites have been restricted to ECDHE. ECDH encryption is still considered strong and does not present an immediate risk.
CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA (client)
This vulnerability is also known as the Freak attack. This vulnerability enables a man-in-the middle attacker to degrade session security. Splunk Web, Indexer, and splunkd management do not support EXPORT ciphers.
Splunk 6.2.2 was released addressing upgrading OpenSSL upgrades for this issue. OpenSSL upgrades will be part of upcoming maintenance releases for Splunk 6.1.x, 6.0.x, and 5.0.x.
CVE-2014-3570 - Bignum squaring may produce incorrect results
Per the OpenSSL advisory, attacks involving private keys are not able to be controlled by attackers and it is believed to be a non-issue on Splunk Enterprise and Hunk.