Fix now available: Splunk and the Heartbleed vulnerability

Security Splunk

Dear Splunk users,

This is an update to yesterday’s post on our handling of the OpenSSL Heartbleed vulnerability. Thank you again for your patience and understanding as we spent the necessary time to prepare and test our fix for this important issue. As I mentioned yesterday, we are working hard to balance getting the fix out to you as quickly as possible while still spending sufficient time testing it to ensure a high quality delivery.

Take me to the fix!

As of now, Splunk Enterprise 6.0.3 is now available for download. This includes universal forwarder builds.

This release contains two fixes for vulnerabilities in OpenSSL:

Further information about these vulnerabilities is posted on our Security Portal.

Patches now available

Follow these links for the respective patch numbers:

What happens next?

We’ve made 6.0.3 available for download, and we’re now continuing to test our patches for each 6.x version. We’ll be posting patches for 6.0, 6.0.1, and 6.0.2 in the next few days now delivering patches for each affected version (see above). This means you have a choice as to whether you want to upgrade to 6.0.3 or patch your existing version. As always, we recommend upgrading to the latest version if possible.

As we’ve mentioned, the great majority of Splunk deployments are behind firewalls and/or require VPN access, and so do not have a high level of exposure as a result of this vulnerability. That said, once you’ve upgraded or patched, you should determine whether to revoke and reissue any SSL certificates you have in use based on your organization’s requirements. Refer to “About securing your Splunk configuration with SSL” in the Splunk Enterprise documentation for details on how Splunk uses SSL.

If you are using the default certificates provided by Splunk, you can regenerate and reissue them using the utility provided in $SPLUNK_HOME/bin, although these certificates provide minimal protection on their own. Note: You must either rename or move the original default certificates out of the way before you regenerate them.

If you are using your own self-signed or CA-generated certificates, you should revoke and reissue these certificates before changing your Splunk Web password(s).

As always, we recommend following the hardening guidelines in the “Securing Splunk” manual.

----------------------------------------------------
Thanks!
rachel perkins

/en_us/blog/fragments/digital-resilience-pays-off
Style
two-column

Related Articles

Defending the Gates: Understanding and Detecting Ave Maria (Warzone) RAT
Security
8 Minute Read

Defending the Gates: Understanding and Detecting Ave Maria (Warzone) RAT

The Splunk Threat Research Team provides a deep-dive analysis of Ave Maria RAT, also known as 'Warzone RAT.'
Log4Shell - Detecting Log4j Vulnerability (CVE-2021-44228) Continued
Security
9 Minute Read

Log4Shell - Detecting Log4j Vulnerability (CVE-2021-44228) Continued

Good news, you can use Splunk to proactively hunt using Network Traffic and DNS query logs data sources to detect potential Log4Shell exploit. From Splunk SURGe, learn even more detections against CVE-2021-44228.
Staff Picks for Splunk Security Reading August 2021
Security
3 Minute Read

Staff Picks for Splunk Security Reading August 2021

These monthly postings will feature the favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk (or not) security world that WE think everyone should read. If you would like to read other months, please take a peek at previous posts in the "Staff Picks" series!
/en_us/blog/fragments/about-splunk
/en_us/blog/fragments/subscribe-footer