SPLUNK INC. Updated 4pm PT, 12/11/21
A critical remote code execution vulnerability impacting at least Apache Log4j 2 (versions 2.0 to 2.14.1) was recently announced by Apache. This vulnerability is designated by Mitre as CVE-2021-44228 with the highest severity rating of 10.0. The vulnerability is also known as Log4Shell or LogJam by security researchers. If exploited, this vulnerability allows adversaries to potentially take full control of the impacted system.
Log4j 2 is a commonly used open source third party Java logging library used in software applications and services.
Splunk is currently reviewing our supported products for impact and evaluating options for remediation and/or or mitigation. The below tables contain our most up-to-date guidance on our products. These products are tracked separately across On Prem and Cloud products.
Please return to this posting for the most up to date information. Current customers can file support tickets through standard channels for specific guidance.
Summary of Impact for Splunk Enterprise and Splunk Cloud
Core Splunk Enterprise functionality does not use Log4j and is therefore not impacted. However, if Data Fabric Search (DFS) and Splunk Analytics for Hadoop (Hunk) product features are used, there is an impact because these product features leverage Log4j. If these features are not used, there is no active attack vector related to CVE-2021-44228.
All recent non-Windows versions of Splunk Enterprise include Log4j for these features. Windows versions of Splunk Enterprise do not include Log4j. Customers may follow the guidance in the "Removing Log4j from Splunk Enterprise" section below to remove these packages out of an abundance of caution. Official patches to upgrade the Log4j packages and mitigate the vulnerability in all usage scenarios are planned to be available no later than Monday, December 13, 2021.
Core Splunk Cloud is not impacted by CVE-2021-44228. For potential impact on Splunk supported applications installed on Splunk Enterprise or Splunk Cloud, see the tables below.
Impacted Products
These products are known to be impacted by CVE-2021-44228.
| Product | Cloud/On-Prem | Impacted Versions | Fixed Version | Workaround |
| Data Stream Processor | On-Prem | DSP 1.0.x, DSP 1.1.x, DSP 1.2.x | Pending | TBD |
| IT Service Intelligence (ITSI) | Both | 4.11.1, 4.10.3, 4.9.5, 4.8.2, 4.7.3, 4.4.6 | Multiple versions will be deployed to fix past versions early next week. | TBD |
| Splunk Enterprise | On-Prem | All supported non-Windows versions of 8.1.x and 8.2.x only if Hadoop (Hunk) and/or DFS are used. | 8.1.7.1, 8.2.2.2 to be released by Monday 12/13 | See Removing Log4j from Splunk Enterprise section below |
| Splunk Enterprise Amazon Machine Image (AMI) | On-Prem | See Splunk Enterprise | Pending | TBD |
| Splunk Enterprise Docker Container | On-Prem | See Splunk Enterprise | Pending | TBD |
--
Under Investigation
We are currently investigating whether these products are impacted by CVE-2021-44228.
| Product | Cloud/On-Prem |
| Admin Config Service | Cloud |
| Behavior Analytics (cloud) | Cloud |
| Developer Tools: SKDs | Both |
| Enterprise Security | Both |
| Intelligence Management (TruSTAR) | Both |
| KV Service | Cloud |
| Mission Control | Cloud |
| Operator for Kubernetes | On-Prem |
| Phantom (On-Premise) | On-Prem |
| Security Analytics for AWS | Cloud |
| SOAR Cloud (Phantom) | Cloud |
| Splunk Cloud Data Manager (SCDM) | Cloud |
| Splunk Cloud Developer Edition | Cloud |
| Splunk Connect for SNMP | On-Prem |
| Splunk Connect for Syslog | On-Prem |
| Splunk Forwarders (UR/HWF) | Both |
| Splunk Mint | On-Prem |
| Splunk Mobile | On-Prem |
| Splunk Secure Gateway (Spacebridge) | Cloud |
| Splunk TV | On-Prem |
| Stream Processor Service | Cloud |
--
Products Confirmed Not Vulnerable
Investigation has concluded that these products are not impacted by CVE-2021-44228.
- Analytics Workspace
- Dashboard Studio
- Developer Tools: AppInspect
- Splunk Application Performance Monitoring
- Splunk Augmented Reality
- Splunk Enterprise Cloud (core functionality - review this notice for installed application impacts)
- Splunk Infrastructure Monitoring
- Splunk Log Observer
- Splunk Network Performance Monitoring
- Splunk On-Call/Victor Ops
- Splunk Profiling
- Splunk Real User Monitoring
- Splunk Synthetics
- UBA (User Behavior Analytics)
Removing Log4j from Splunk Enterprise
If the Splunk Enterprise instance does not leverage DFS or Hunk, the presence of those libraries does not introduce an active attack vector. Out of an abundance of caution, you may remove the unused jars from your Splunk Enterprise instances in the following paths:
- $SPLUNK_HOME/bin/jars/vendors/spark
- $SPLUNK_HOME/bin/jars/vendors/libs/splunk-library-javalogging-*.jar
- $SPLUNK_HOME/bin/jars/SplunkMR*
- $SPLUNK_HOME/bin/jars/thirdparty/hive*
- $SPLUNK_HOME/etc/apps/splunk_archiver/java-bin/jars/*
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
- https://logging.apache.org/log4j/2.x/security.html
- https://www.splunk.com/en_us/blog/security/log-jammin-log4j-2-rce.html
Change Log
- 2020-12-11: Initial Security Advisory
Attachments
- Original Link
- Original Document
- Permalink
Disclaimer
Splunk Inc. published this content on 11 December 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 12 December 2021 00:45:02 UTC.
