Updated 3pm, 12/15/21

This security advisory specifically pertains to Apps/Add-ons (i.e. Extensions) to Splunk Products for CVE 2021-44228 and CVE-2021-45046. Please note that archived apps on Splunkbase are not supported, and as such do not receive updates. For the official advisory on Splunk Enterprise, Splunk Cloud, and other non-app products, please see the Splunk Security Advisory for Apache Log4j.

Unless specifically noted, the below guidance pertains to both on-prem and cloud deployments of Splunk. For more information on the various levels of support for Splunk Apps, please refer to the Splunk Developer Guide.  If you are unsure what apps are installed on your Splunk deployment, please see Review your apps and add-ons on Splunk Docs. Additionally, AppInspect will now fail validation for apps submitted that have Log4j versions vulnerable to CVE-2021-44228 or CVE-2021-45046.

Premium Apps/Add-ons

For information regarding CVE 2021-44228 and CVE-2021-45046 as it pertains to Splunk Enterprise Security (ES), Splunk User Behavior Analytics (UBA), or Splunk IT Service Intelligence (ITSI) please see the Splunk Security Advisory for Apache Log4j.

Splunk Built and Supported Apps/Add-ons

Splunk has reviewed the library of apps that Splunk has built and supports that are on Splunkbase for impact as it pertains to CVE 2021-44228 and CVE-2021-45046. Of these apps, the ones that are determined to be impacted are listed in the Splunk Security Advisory for Apache Log4j. Please note that only supported versions of these apps will receive updates. If you are unsure what apps are installed on your Splunk deployment, please see Review your apps and add-ons on Splunk Docs. 

Developer Supported Apps/Add-ons

Developer supported apps/add-ons are built and supported by third party developers. Splunk does not develop code for, or support these apps/add-ons. Please contact the app developer listed on Splunkbase in the “Built By” section via the “Contact Developer” link for further guidance and information. Release notes from the developer may contain additional information. 

Not Supported Apps/Add-ons

Apps that are listed as “Not Supported” on Splunkbase do not receive support from their developers or Splunk. However, if you are using, or plan to use one of these apps in your Splunk environment, the instructions to scan the app for CVE-2021-44228 and CVE-2021-45046 in the Custom Apps section below may possibly be used as an example procedure to verify that the app is not impacted.

Custom Apps

Splunk does not provide support for updating or patching custom apps, and it is the responsibility of the customer to remediate them. If custom apps are leveraged within a Splunk deployment, the steps below can help assess if any custom apps are vulnerable to CVE-2021-44228 and CVE-2021-45046. Remember: this vulnerability is specific to Log4j version 2. Any discovery of Log4j versions prior to 2 are not covered by CVE-2021-44228 and CVE-2021-45046.

If there is possible exposure from a custom app, the following guidance is provided as a courtesy: https://dev.splunk.com/enterprise/docs/releaseapps/manageprivatecloud/

Linux

1. Unzip the app into a temp directory on your local filesystem, or install the app in a local instance of Splunk for testing

2. From the $SPLUNK_HOME/etc/apps directory, or from the temp directory from above, run the following commands:

a. Recursive grep looking for inclusion of vulnerable instances of java class:

grep -r 

‘org/apache/logging/log4j/core/lookup/JndiLookup.class’ ./

b. Simple find command to find any instances of Log4j:

find ./ -name “*log4j*” -print

3. Any data returned by either of the two commands above specific to Log4j 2 means potential exposure and you should take further steps to ensure the version of Log4j is not vulnerable (must be at least 2.15.0 for CVE-2021-44228 or at least 2.16.0 for both CVE-2021-44228 and CVE-2021-45046)

If nothing is returned from steps 2a or 2b, it is important to unpack any jar files found and look for reference to Log4j version 2 within them:

• This can be done manually with tools like gzip or any other “unzip” type of program, or a commercial or open-source tool like Syft or Grype to open jar files and do analysis.
• Once the jar files are unpacked, then another recursive grep such as mentioned above in the Linux section should be run against the unpacked files.

Windows

1. Unzip the app into a temp directory on your local filesystem, or install the app in a local instance of Splunk for testing

2. From the $SPLUNK_HOME\etc\apps directory, or from the temp directory from above, run the following PowerShell command:

gci 'C:\' -rec -force -include *.jar -ea 0 | foreach 

{select-string "JndiLookup.class" $_} | select -exp Path

3. Any data returned by the command above specific to Log4j 2 means potential exposure and you should take further steps to ensure the version of Log4j is not vulnerable (must be at least 2.15.0 for CVE-2021-44228 or at least 2.16.0 for both CVE-2021-44228 and CVE-2021-45046)

If nothing is returned from step 2, it is important to unpack any jar files found and look for reference to Log4j version 2 within them:

• This can be done manually with tools like WinRAR or any other “unzip” type of program, or a commercial or open-source tool like Syft or Grype to open jar files and do analysis.
• Once the jar files are unpacked, then another recursive grep such as mentioned above in the Linux section should be run against the unpacked files.

Splunk SOAR (Phantom) Apps

Splunk SOAR apps can only be written in Python, and therefore are not able to use the vulnerable Log4j library impacted by CVE-2021-44228 or CVE-2021-45046. Please see Splunk SOAR apps overview on Splunk Docs for more information about SOAR Apps. 

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
• https://logging.apache.org/log4j/2.x/security.html
• https://www.splunk.com/en_us/blog/bulletins/splunk-security-advisory-for-apache-log4j-cve-2021-44228.html 
• https://www.splunk.com/en_us/blog/security/log-jammin-log4j-2-rce.html
• https://www.splunk.com/en_us/blog/security/log4shell-detecting-log4j-vulnerability-cve-2021-44228-continued.html

Change Log

• 2021-12-15: Added additional guidance on how to find what apps are installed on a Splunk deployment and AppInspect
• 2021-12-14: Initial Supplemental Advisory