The latest available update for an affected product should be used. Unless explicitly stated, patches are cumulative to address both CVE-2021-44228 and CVE-2021-45046. These products are known to be impacted by CVE-2021-44228 and CVE-2021-45046. For potential impact on Splunk supported applications installed on Splunk Enterprise or Splunk Cloud, see the tables below. Patches to address CVE-2021-45046 are forthcoming. These patches are the preferred method for addressing CVE-2021-44228 in Splunk Enterprise.
Official patches to upgrade the Log4j packages and mitigate the vulnerabilities in all usage scenarios are available and linked in the table below for version 8.1 and 8.2. Customers may follow the guidance in the “Removing Log4j version 2 from Splunk Enterprise” section below to remove these packages out of an abundance of caution.
Windows versions of Splunk Enterprise do not include Log4j version 2. If this feature is not used, there is no active attack vector related to CVE-2021-44228 or CVE-2021-45046. Guidance for determining if you are using DFS appears in the "Removing Log4j version 2 from Splunk Enterprise" section below.Īll recent non-Windows versions of Splunk Enterprise include Log4j version 2 for the DFS feature. If Data Fabric Search (DFS) is used, there is an impact because this product feature leverages Log4j. Summary of Impact for Splunk Enterprise and Splunk CloudĬore Splunk Enterprise functionality does not use Log4j version 2 and is not impacted. Customers also have the option to remove Log4j Version 2 from Splunk Enterprise out of an abundance of caution. Unless CVE-2021-45105 increases in severity, Splunk will address this vulnerability as part of the next regular maintenance release of each affected product.
Splunk is currently evaluating where these configuration parameters may exist within our product portfolio. Per Apache’s advisory, specific non-default configuration parameters need to be present to exploit this vulnerability. Apache has designated this vulnerability a severity rating of 7.5 (High). Splunk is also currently reviewing a Denial of Service Vulnerability ( CVE-2021-45105) found in Log4j version 2.16.0. Supplemental Security Advisory for Splunk AppsĪ supplemental security advisory for Splunk Apps was published on December 14 and is being updated on an ongoing basis. Current customers can file support tickets through standard channels for specific guidance. Please return to this posting for the most up to date information.
If exploited, this vulnerability allows adversaries to potentially take full control of the impacted system.
Log4j 2 is a commonly used open source third party Java logging library used in software applications and services. The vulnerability is also known as Log4Shell by security researchers. This vulnerability is designated by Mitre as CVE-2021-44228 with the highest severity rating of 10.0.
On December 10, a critical remote code execution vulnerability impacting at least Apache Log4j 2 (versions 2.0 to 2.14.1) was announced by Apache.