Splunk response to January 2015 OpenSSL vulnerabilities

Table of Contents

Description

Splunk has completed initial review of the January 2015 OpenSSL security advisory. In March 2015, one of the included vulnerabilities was documented as the Freak attack. Please review specific product responses for further information on affected Splunk products. Splunk will update this advisory as additional information becomes available. Due to the volume of products and vulnerabilities in this advisory, CVSS numbers are not included. All issues referenced in this advisory are currently believed to be low severity.

At the time of this announcement, Splunk is not aware of any cases where these vulnerabilities have been actively exploited. Previous Product Security Announcements can be found on our Splunk Product Security Portal. Use SPL numbers when referencing issues in communication with Splunk. If there is no CVE Identifier listed with a vulnerability, it will be added once it is assigned by a CVE Numbering Authority. To standardize the calculation of severity scores for each vulnerability, when appropriate, Splunk uses Common Vulnerability Scoring System version 2.

Affected Products and Components

  • Splunk Enterprise
    • Affected versions: All versions of Splunk Enterprise 6.2.x, 6.1.x, 6.0.x, and 5.0.x.
    • Affected components: Search heads, heavy forwarders, universal forwarders, indexers, KV Store, and apps leveraging Splunk OpenSSL.
  • Hunk
    • Affected versions: All versions of Hunk 6.2.x, 6.1.x, and 6.0.x.
  • Splunk Cloud
  • Splunk MINT
  • Splunk Storm
  • Splunk App for Stream
  • Splunk App for VMware
  • Splunk App for NetApp Data ONTAP

Vulnerability Descriptions

Splunk Enterprise response to January 2015 OpenSSL vulnerabilities

Description: Splunk has reviewed Enterprise 6.2.x, 6.1.x, 6.0.x, and 5.0.x, and reviewed the release of OpenSSL 1.0.1k and OpenSSL 0.9.8zd. OpenSSL will be upgraded in conjunction with upcoming Splunk Enterprise releases.

CVE-2014-3571, CVE-2015-0206 - DTLS Issues

Splunk Enterprise and Hunk do not use DTLS and are not affected by these vulnerabilities.

CVE-2014-3569 - no-ssl3 configuration sets method to NULL

Splunk Enterprise and Hunk are not affected.

CVE-2014-3572 - ECDHE silently downgrades to ECDH (client-only)

This vulnerability could enable an attacker to remove ephemeral keys support anywhere Splunk Enterprise, Hunk, or Splunk Apps act as a TLS client. The vulnerability only impacts environments where certificate validation is enabled and cipherSuites have been restricted to ECDHE. ECDH encryption is still considered strong and does not present an immediate risk.

CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA (client)

This vulnerability is also known as the Freak attack. This vulnerability enables a man-in-the middle attacker to degrade session security. Splunk Web, Indexer, and splunkd management do not support EXPORT ciphers.

Splunk 6.2.2 was released addressing upgrading OpenSSL upgrades for this issue. OpenSSL upgrades will be part of upcoming maintenance releases for Splunk 6.1.x, 6.0.x, and 5.0.x.

CVE-2014-3570 - Bignum squaring may produce incorrect results

Per the OpenSSL advisory, attacks involving private keys are not able to be controlled by attackers and it is believed to be a non-issue on Splunk Enterprise and Hunk.

Hunk response to January 2015 OpenSSL vulnerabilities

Description: Hunk currently plans to upgrade OpenSSL service components in a future release and work with customers on the deployment of upgraded Universal Forwarders. For further detailed component information, please see Splunk Enterprise response.

Splunk Cloud response to January 2015 OpenSSL vulnerabilities

Description: Splunk Cloud currently plans to upgrade OpenSSL in service components and work with customers on the deployment of upgraded Universal Forwarders. For further information regarding forwarder components, please see Splunk Enterprise response.

Splunk MINT response to January 2015 OpenSSL vulnerabilities

Description: Splunk MINT is not directly impacted by these vulnerabilities. The Splunk MINT SDK leverages mobile-device specific SSL libraries that may be affected. Splunk MINT will be applying infrastructure patches during regularly scheduled maintenance.

Splunk Storm response to January 2015 OpenSSL vulnerabilities

Description: Splunk Storm is currently evaluating this advisory.

Splunk App for Stream response to January 2015 OpenSSL vulnerabilities

Description: Splunk App for Stream has performed initial triage. None of the published OpenSSL vulnerabilities pose an immediate risk to customer environments. Splunk App for Stream 6.2 upgrades the included OpenSSL dependency.

Splunk App for VMware response to January 2015 OpenSSL vulnerabilities

Description: Splunk App for VMware has performed initial triage. None of the published OpenSSL vulnerabilities pose an immediate risk to customer environments. A future release of Splunk App for VMware will address these vulnerabilities.

Splunk App for NetApp Data ONTAP response to January 2015 OpenSSL vulnerabilities

Description: Splunk App for NetApp Data ONTAP has performed initial triage. None of the published OpenSSL vulnerabilities pose an immediate risk to customer environments. Splunk App for NetApp Data ONTAP leverages OpenSSL shipped with Splunk Enterprise. For further information, please review Splunk Enterprise response.