{"id":4028,"date":"2021-12-21T14:25:03","date_gmt":"2021-12-21T06:25:03","guid":{"rendered":"https:\/\/www.udshk.com\/?page_id=4028"},"modified":"2021-12-24T11:38:47","modified_gmt":"2021-12-24T03:38:47","slug":"log4j-vulnerabilities-splunk-resolutions","status":"publish","type":"page","link":"https:\/\/www.udshk.com\/?page_id=4028","title":{"rendered":"Log4J Vulnerabilities &#8211; Splunk Resolutions"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-page\" data-elementor-id=\"4028\" class=\"elementor elementor-4028\" data-elementor-settings=\"[]\">\n\t\t\t\t\t\t\t<div class=\"elementor-section-wrap\">\n\t\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-5d606b0 elementor-section-height-min-height elementor-section-items-top elementor-section-boxed elementor-section-height-default\" data-id=\"5d606b0\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-b1e2f06\" data-id=\"b1e2f06\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t\t\t<div class=\"elementor-element elementor-element-fcf7e67 elementor-widget elementor-widget-image\" data-id=\"fcf7e67\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"300\" src=\"https:\/\/www.udshk.com\/wp-content\/uploads\/2021\/08\/Splunk_new.png\" class=\"attachment-medium size-medium\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d2f21f8 elementor-widget elementor-widget-heading\" data-id=\"d2f21f8\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Log4J Vulnerabilities - Splunk Resolutions (Updated to 9 Dec 2021)<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0abba13 elementor-widget elementor-widget-text-editor\" data-id=\"0abba13\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>The information provided below is referred from <a href=\"https:\/\/docs.splunk.com\/Documentation\/ITSI\/latest\/Install\/Addresslog4j\">https:\/\/docs.splunk.com\/Documentation\/ITSI\/latest\/Install\/Addresslog4j<\/a> and <a href=\"https:\/\/www.splunk.com\/en_us\/blog\/security\/log4shell-detecting-log4j-vulnerability-cve-2021-44228-continued.html\">https:\/\/www.splunk.com\/en_us\/blog\/security\/log4shell-detecting-log4j-vulnerability-cve-2021-44228-continued.html<\/a>.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-53779d0 elementor-tabs-view-horizontal elementor-widget elementor-widget-tabs\" data-id=\"53779d0\" data-element_type=\"widget\" data-widget_type=\"tabs.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-tabs\">\n\t\t\t<div class=\"elementor-tabs-wrapper\" role=\"tablist\" >\n\t\t\t\t\t\t\t\t\t<div id=\"elementor-tab-title-8751\" class=\"elementor-tab-title elementor-tab-desktop-title\" aria-selected=\"true\" data-tab=\"1\" role=\"tab\" tabindex=\"0\" aria-controls=\"elementor-tab-content-8751\" aria-expanded=\"false\">CVE Number<\/div>\n\t\t\t\t\t\t\t\t\t<div id=\"elementor-tab-title-8752\" class=\"elementor-tab-title elementor-tab-desktop-title\" aria-selected=\"false\" data-tab=\"2\" role=\"tab\" tabindex=\"-1\" aria-controls=\"elementor-tab-content-8752\" aria-expanded=\"false\">Discovery Date<\/div>\n\t\t\t\t\t\t\t\t\t<div id=\"elementor-tab-title-8753\" class=\"elementor-tab-title elementor-tab-desktop-title\" aria-selected=\"false\" data-tab=\"3\" role=\"tab\" tabindex=\"-1\" aria-controls=\"elementor-tab-content-8753\" aria-expanded=\"false\">Threat Level<\/div>\n\t\t\t\t\t\t\t\t\t<div id=\"elementor-tab-title-8754\" class=\"elementor-tab-title elementor-tab-desktop-title\" aria-selected=\"false\" data-tab=\"4\" role=\"tab\" tabindex=\"-1\" aria-controls=\"elementor-tab-content-8754\" aria-expanded=\"false\">Response to Log4j<\/div>\n\t\t\t\t\t\t\t\t\t<div id=\"elementor-tab-title-8755\" class=\"elementor-tab-title elementor-tab-desktop-title\" aria-selected=\"false\" data-tab=\"5\" role=\"tab\" tabindex=\"-1\" aria-controls=\"elementor-tab-content-8755\" aria-expanded=\"false\">Affected Splunk Products<\/div>\n\t\t\t\t\t\t\t\t\t<div id=\"elementor-tab-title-8756\" class=\"elementor-tab-title elementor-tab-desktop-title\" aria-selected=\"false\" data-tab=\"6\" role=\"tab\" tabindex=\"-1\" aria-controls=\"elementor-tab-content-8756\" aria-expanded=\"false\">Splunk Workaround Solution<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t<div class=\"elementor-tabs-content-wrapper\" role=\"tablist\" aria-orientation=\"vertical\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-tab-title elementor-tab-mobile-title\" aria-selected=\"true\" data-tab=\"1\" role=\"tab\" tabindex=\"0\" aria-controls=\"elementor-tab-content-8751\" aria-expanded=\"false\">CVE Number<\/div>\n\t\t\t\t\t<div id=\"elementor-tab-content-8751\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"1\" role=\"tabpanel\" aria-labelledby=\"elementor-tab-title-8751\" tabindex=\"0\" hidden=\"false\"><ul><li><a style=\"pointer-events: none; cursor: default; text-decoration: none; color: black;\" href=\"\u201c#\u201d\">2021-44228<\/a><\/li><\/ul><\/div>\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-tab-title elementor-tab-mobile-title\" aria-selected=\"false\" data-tab=\"2\" role=\"tab\" tabindex=\"-1\" aria-controls=\"elementor-tab-content-8752\" aria-expanded=\"false\">Discovery Date<\/div>\n\t\t\t\t\t<div id=\"elementor-tab-content-8752\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"2\" role=\"tabpanel\" aria-labelledby=\"elementor-tab-title-8752\" tabindex=\"0\" hidden=\"hidden\"><ul><li>Dec 9, 2021<\/li><\/ul><\/div>\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-tab-title elementor-tab-mobile-title\" aria-selected=\"false\" data-tab=\"3\" role=\"tab\" tabindex=\"-1\" aria-controls=\"elementor-tab-content-8753\" aria-expanded=\"false\">Threat Level<\/div>\n\t\t\t\t\t<div id=\"elementor-tab-content-8753\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"3\" role=\"tabpanel\" aria-labelledby=\"elementor-tab-title-8753\" tabindex=\"0\" hidden=\"hidden\"><ul><li>High<\/li><\/ul><\/div>\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-tab-title elementor-tab-mobile-title\" aria-selected=\"false\" data-tab=\"4\" role=\"tab\" tabindex=\"-1\" aria-controls=\"elementor-tab-content-8754\" aria-expanded=\"false\">Response to Log4j<\/div>\n\t\t\t\t\t<div id=\"elementor-tab-content-8754\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"4\" role=\"tabpanel\" aria-labelledby=\"elementor-tab-title-8754\" tabindex=\"0\" hidden=\"hidden\"><p class=\"s5\"><span class=\"s32\">A serious vulnerability (<\/span><a class=\"s32\" href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-44228\">CVE-2021-44228<\/a><span class=\"s32\">) in the popular open source<\/span><a class=\"s32\" href=\"https:\/\/logging.apache.org\/log4j\/2.x\/index.html\">\u00a0Apache Log4j<\/a><span class=\"s32\">\u00a0logging library poses a threat to thousands of applications and third-party services that leverage this library. Proof-of-Concept code demonstrates that a RCE (remote code execution) vulnerability can be exploited by the attacker inserting a specially crafted string that is then logged by Log4j. The attacker could then execute arbitrary code from an external source.<\/span><\/p><\/div>\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-tab-title elementor-tab-mobile-title\" aria-selected=\"false\" data-tab=\"5\" role=\"tab\" tabindex=\"-1\" aria-controls=\"elementor-tab-content-8755\" aria-expanded=\"false\">Affected Splunk Products<\/div>\n\t\t\t\t\t<div id=\"elementor-tab-content-8755\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"5\" role=\"tabpanel\" aria-labelledby=\"elementor-tab-title-8755\" tabindex=\"0\" hidden=\"hidden\"><div class=\"s27\"><ul><li class=\"s2\"><span class=\"s32\">ITSI and ITE Work versions 4.11.0, 4.9.x (on-premises and cloud)ITSI 4.7.x (on-premises and cloud)<\/span><\/li><li class=\"s2\"><span class=\"s32\">ITSI and ITE Work 4.10.x &#8211; Cloud-only <\/span><span class=\"s32\">versionITSI<\/span><span class=\"s32\"> 4.5.x, 4.6.x, and 4.8.x &#8211; Cloud-only versions<\/span><\/li><li class=\"s2\"><span class=\"s32\">ITSI version 4.4.x (No longer supported as of October 22, 2021)<\/span><\/li><\/ul><\/div><\/div>\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-tab-title elementor-tab-mobile-title\" aria-selected=\"false\" data-tab=\"6\" role=\"tab\" tabindex=\"-1\" aria-controls=\"elementor-tab-content-8756\" aria-expanded=\"false\">Splunk Workaround Solution<\/div>\n\t\t\t\t\t<div id=\"elementor-tab-content-8756\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"6\" role=\"tabpanel\" aria-labelledby=\"elementor-tab-title-8756\" tabindex=\"0\" hidden=\"hidden\"><ul><li class=\"s5\"><strong><span class=\"s32\">Intrusion Detection Alerts<\/span><\/strong><ul><li class=\"s5\">Make sure the IPS has updated the rules to detect and are indexing them in Splunk. In this case, it uses Suricata but this holds true for\u00a0 any IDS that has deployed signatures for this vulnerability. A quick search against that index will net you a place to start hunting for compromise\u00a0<br \/><span class=\"s32\">index=<\/span><span class=\"s32\">suricata<\/span><span class=\"s32\"> (&#8220;2021-44228&#8221; OR &#8220;Log4j&#8221; OR &#8220;Log4Shell&#8221;) | table _time, <\/span><span class=\"s32\">dest_ip<\/span><span class=\"s32\">, <\/span><span class=\"s32\">alert.signature<\/span><span class=\"s32\">, <\/span><span class=\"s32\">alert.signature_id<\/span><\/li><\/ul><\/li><li>Splunk Recommendation<ul><li><span class=\"s29\">Patching is still your best bet to combat this vulnerability. If\u00a0<\/span><span class=\"s29\">patching<\/span><span class=\"s29\">\u00a0isn\u2019t possible, implementing\u00a0<\/span><span class=\"s29\">mitigation<\/span><span class=\"s29\">\u00a0is the next best path to minimize the attack surface.\u00a0<\/span><span class=\"s29\">SURGe<\/span><span class=\"s29\">\u00a0is monitoring the evolution of this vulnerability and will provide additional information as needed. Additionally,\u00a0Splunk\u2019s Threat Research Team\u00a0has been working hard to create some detections for\u00a0<\/span><span class=\"s29\">ESCU<\/span><span class=\"s29\">\u00a0as well as a SOAR playbook for automated response, which will be released as soon as possible.\u00a0<\/span><\/li><\/ul><\/li><\/ul><p class=\"s5\"><strong><span class=\"s32\">For any other information to detect the Log4J Vulnerability, please go to:<\/span><\/strong><\/p><p class=\"s5\"><a href=\"https:\/\/www.splunk.com\/en_us\/blog\/security\/log4shell-detecting-log4j-vulnerability-cve-2021-44228-continued.html\"><span class=\"s32\">https:\/\/www.splunk.com\/en_us\/blog\/security\/log4shell-detecting-log4j-vulnerability-cve-2021-44228-continued.html<\/span><\/a><\/p><p class=\"s2\"><strong><span class=\"s29\">For the detail workaround solution, please go:<\/span><\/strong><\/p><p class=\"s2\"><a class=\"s29\" href=\"https:\/\/docs.splunk.com\/Documentation\/ITSI\/latest\/Install\/Addresslog4j\">https:\/\/docs.splunk.com\/Documentation\/ITSI\/latest\/Install\/Addresslog4j<\/a><\/p><\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Log4J Vulnerabilities &#8211; Splunk Resolutions (Updated to 9 Dec 2021) The information provided below is referred from https:\/\/docs.splunk.com\/Documentation\/ITSI\/latest\/Install\/Addresslog4j and https:\/\/www.splunk.com\/en_us\/blog\/security\/log4shell-detecting-log4j-vulnerability-cve-2021-44228-continued.html. CVE Number Discovery Date Threat Level Response to Log4j Affected Splunk Products Splunk Workaround Solution CVE Number 2021-44228 Discovery Date Dec 9, 2021 Threat Level High Response to Log4j A serious vulnerability (CVE-2021-44228) in the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-4028","page","type-page","status-publish","hentry","entry","owp-thumbs-layout-horizontal","owp-btn-normal","owp-tabs-layout-horizontal","has-no-thumbnails","has-product-nav"],"_links":{"self":[{"href":"https:\/\/www.udshk.com\/index.php?rest_route=\/wp\/v2\/pages\/4028","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.udshk.com\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.udshk.com\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.udshk.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.udshk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4028"}],"version-history":[{"count":7,"href":"https:\/\/www.udshk.com\/index.php?rest_route=\/wp\/v2\/pages\/4028\/revisions"}],"predecessor-version":[{"id":4218,"href":"https:\/\/www.udshk.com\/index.php?rest_route=\/wp\/v2\/pages\/4028\/revisions\/4218"}],"wp:attachment":[{"href":"https:\/\/www.udshk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4028"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}