Steps to address the Apache Log4j vulnerabilities in ITSI or IT Essentials Work
On Friday December 10, 2021, a serious remote code execution (RCE) vulnerability, commonly known as Log4Shell, was discovered in the popular open-source Apache Log4j (versions 2.0 to 2.14.1) logging library. Over subsequent days, additional vulnerabilities have been discovered. See Apache Log4j 2 in Apache documentation for more info. The Apache Software Foundation released a series of emergency patches for these vulnerabilities. For more information on addressing the vulnerabilities, see Splunk Security Advisory for Apache Log4j (CVE-2021-44228 and CVE-2021-45046).
Impacted version | Immediate workaround | Intermediate upgrade (Skip unless already in progress) |
Final fix |
---|---|---|---|
ITSI and ITE Work versions 4.11.0, 4.9.x (on-premises and cloud)
ITSI 4.7.x (on-premises and cloud) |
See the workaround steps provided on this page after this table. Follow these steps in your existing ITSI installation to reduce your exposure to the CVE-2021-44228 vulnerability.
|
Upgrade to the maintenance version that includes the fix for CVE-2021-44228:
See Version-specific upgrade notes for ITSI for steps to take after you upgrade. |
Upgrade to the maintenance version that includes version 2.16.0 or later of Apache Log4j libraries, which addresses both CVE-2021-44228 and CVE-2021-45046.
See Version-specific upgrade notes for ITSI for steps to take after you upgrade. |
ITSI and ITE Work 4.10.x - Cloud-only version
ITSI 4.5.x, 4.6.x, and 4.8.x - Cloud-only versions |
Splunk Cloud TechOps is upgrading impacted versions. | All cloud stacks will be upgraded to the closest latest minor version with the fix for CVE-2021-44228. 4.5.x and 4.8.x will be upgraded to 4.9.5. |
All cloud stacks will be updated to the closest latest minor version with the 2.16.0 or later version of Apache Log4j. 4.5.x and 4.8.x will be upgraded to 4.9.6. |
ITSI version 4.4.x (No longer supported as of October 22, 2021) | See the workaround steps provided on this page after this table. Follow these steps in your existing ITSI installation to reduce your exposure to the CVE-2021-44228 vulnerability. |
Upgrade to the 4.7.3. maintenance version that includes the fix for the RCE vulnerability (CVE-2021-44228).
|
Upgrade to the 4.7.4 maintenance version that includes version 2.16.0 or later of Apache Log4j libraries, which addresses both CVE-2021-44228 and CVE-2021-45046.
|
Workaround steps for self-managed deployments on standalone search heads on *nix
Follow these steps to implement a workaround for CVE-2021-44228 in self-managed deployments of Splunk IT Service Intelligence or IT Essentials Work on standalone search heads on *nix environments. You can use this fix as a workaround until you have time to upgrade to a maintenance version that addresses the vulnerability. These changes will not disrupt any user functionality. These changes require a maintenance window of about eight to ten minutes.
Prerequisites
- You must have administrative access to the operating system on the machine where ITSI is installed to perform these steps.
For all search heads where ITSI or ITE Work is installed, perform the following procedures.
$SPLUNK_HOME is the directory where you installed Splunk Enterprise.
Steps
- Open a shell prompt.
- Go to the folder $SPLUNK_HOME/bin.
- Stop the Splunk process.
cd $SPLUNK_HOME/opt/splunk/bin ./splunk stop
- Go to the etc/apps/SA-ITOA/lib/java/event_management/libs/ directory:
cd $SPLUNK_HOME/etc/apps/SA-ITOA/lib/java/event_management/libs/
- Run the command that corresponds to your version of ITSI or IT Essentials Work to delete the JndiLookup classes from the log4j jar file.
- ITSI or IT Essentials Work version 4.7.x, 4.9.x, or 4.11.x:
zip -q -d log4j-core-2.13.2.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Once the above command executes successfully, if there are log4j .jar files with versions lower than 2.13.2 in this directory, you can safely delete these .jar files with lower versions.
- ITSI version 4.4.x:
zip -q -d log4j-core-2.5.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Once the above command executes successfully, if there are log4j .jar files with versions lower than 2.5 in this directory, you can safely delete these .jar files with lower versions.
- ITSI or IT Essentials Work version 4.7.x, 4.9.x, or 4.11.x:
- Go to the etc/apps/SA-ITSI-MetricAD/lib/ directory.
cd $SPLUNK_HOME/etc/apps/SA-ITSI-MetricAD/lib/
- Run the command that corresponds to your version of ITSI or IT Essentials Work to delete JndiLookup classes from the log4j jar file.
- ITSI version 4.7.x, 4.9.x, 4.11.0:
zip -q -d org.apache.logging.log4j.log4j-core-2.13.2.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Once the above command executes successfully, if there are log4j .jar files with versions lower than 2.13.2 in this directory, you can safely delete these .jar files with lower versions.
- ITSI version 4.4.x:
zip -q -d org.apache.logging.log4j.log4j-core-2.3.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Once the above command executes successfully, if there are log4j .jar files with versions lower than 2.3 in this directory, you can safely delete these .jar files with lower versions.
- ITSI version 4.7.x, 4.9.x, 4.11.0:
- Delete older versions of log4j .jar files from the search head. To view a list of the files and their locations, see Version-specific upgrade notes for ITSI.
- Restart Splunk Enterprise:
cd $SPLUNK_HOME/opt/splunk/bin ./splunk start
Workaround steps for self-managed deployments on standalone search heads on Windows
Follow these steps to implement a workaround for CVE-2021-44228 in self-managed deployments of Splunk IT Service Intelligence or IT Essentials Work on standalone search heads on Windows environments. You can use this fix as a workaround until you have time to upgrade to a maintenance version that addresses the vulnerability. These changes will not disrupt any user functionality. These changes require a maintenance window of about eight to ten minutes.
Prerequisites
- You must have administrative access to the operating system on the machine where ITSI is installed to perform these steps.
- You need a zip utility installed on Windows. The instructions below provide the command prompt syntax for 7zip.
For all search heads where ITSI or ITE Work is installed, perform the following procedure.
$SPLUNK_HOME is the directory where you installed Splunk Enterprise.
Steps
- Use the Services control panel to stop the Splunk process.
- Go to the etc/apps/SA-ITOA/lib/java/event_management/libs/ directory:
cd $SPLUNK_HOME\etc\apps\SA-ITOA\lib\java\event_management\libs
- Run the command that corresponds to your version of ITSI or IT Essentials Work to delete the JndiLookup classes from the log4j jar file.
- ITSI or IT Essentials Work version 4.7.x, 4.9.x, or 4.11.x:
$SPLUNK_HOME\etc\apps\SA-ITOA\lib\java\event_management\libs>"C:\Program Files\7-Zip\7z.exe" D .\log4j-core-2.13.2.jar org\apache\logging\log4j\core\lookup\JndiLookup.class
Once the above command executes successfully, if there are log4j .jar files with versions lower than 2.13.2 in this directory, you can safely delete these .jar files with lower versions.
- ITSI version 4.4.x:
$SPLUNK_HOME\etc\apps\SA-ITOA\lib\java\event_management\libs>"C:\Program Files\7-Zip\7z.exe" D .\log4j-core-2.5.jar org\apache\logging\log4j\core\lookup\JndiLookup.class
Once the above command executes successfully, if there are log4j .jar files with versions lower than 2.5 in this directory, you can safely delete these .jar files with lower versions.
- ITSI or IT Essentials Work version 4.7.x, 4.9.x, or 4.11.x:
- Go to the etc/apps/SA-ITSI-MetricAD/lib/ directory.
cd $SPLUNK_HOME\etc\apps\SA-ITSI-MetricAD\lib\
- Run the command that corresponds to your version of ITSI or IT Essentials Work to delete JndiLookup classes from the log4j jar file.
- ITSI version 4.7.x, 4.9.x, 4.11.0:
$SPLUNK_HOME\etc\apps\SA-ITSI-MetricAD\lib\>"C:\Program Files\7-Zip\7z.exe" D .\org.apache.logging.log4j.log4j-core-2.13.2.jar org\apache\logging\log4j\core\lookup\JndiLookup.class
Once the above command executes successfully, if there are log4j .jar files with versions lower than 2.13.2 in this directory, you can safely delete these .jar files with lower versions.
- ITSI version 4.4.x:
$SPLUNK_HOME\etc\apps\SA-ITSI-MetricAD\lib\>"C:\Program Files\7-Zip\7z.exe" D .\org.apache.logging.log4j.log4j-core-2.3.jar org\apache\logging\log4j\core\lookup\JndiLookup.class
Once the above command executes successfully, if there are log4j .jar files with versions lower than 2.3 in this directory, you can safely delete these .jar files with lower versions.
- ITSI version 4.7.x, 4.9.x, 4.11.0:
- Delete older versions of log4j .jar files from the search head. To view a list of the files and their locations, see Version-specific upgrade notes for ITSI.
- Use the Services control panel to restart Splunk Enterprise.
Workaround steps for self-managed deployments on a search head cluster on *nix
Follow these steps to implement a workaround for CVE-2021-44228 in self-managed deployments of Splunk IT Service Intelligence or IT Essentials Work on search head clusters on *nix environments. You can use this fix as a workaround until you have time to upgrade to a maintenance version that addresses the vulnerability. These changes require a maintenance window of about eight to ten minutes.
Prerequisite
You must have administrative access to the operating system on the machine where ITSI or IT Essentials Work is installed to perform these steps.
For all search head clusters where ITSI or ITE Work is installed, perform the following procedures.
$SPLUNK_HOME is the directory where you installed Splunk Enterprise.
Steps
- Log on to the deployer.
- Go to the etc/shcluster/apps/SA-ITOA/lib/java/event_management/libs/ directory.
cd $SPLUNK_HOME/etc/shcluster/apps/SA-ITOA/lib/java/event_management/libs/
- Run the command that corresponds to your version of ITSI or IT Essentials Work to delete the JndiLookup classes from the log4j jar file.
- ITSI or IT Essentials Work version 4.7.x, 4.9.x, or 4.11.x:
zip -q -d log4j-core-2.13.2.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
- ITSI version 4.4.x:
zip -q -d log4j-core-2.5.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
- ITSI or IT Essentials Work version 4.7.x, 4.9.x, or 4.11.x:
- Make a note of the updated jar's checksum.
- ITSI or IT Essentials Work version 4.7.x, 4.9.x, or 4.11.x:
On *nix:sha256sum log4j-core-2.13.2.jar
- ITSI version 4.4.x:
sha256sum log4j-core-2.5.jar
- ITSI or IT Essentials Work version 4.7.x, 4.9.x, or 4.11.x:
- Go to the etc/shcluster/apps/SA-ITSI-MetricAD/lib/ directory.
cd $SPLUNK_HOME/etc/shcluster/apps/SA-ITSI-MetricAD/lib/
- Run the command that corresponds to your version of ITSI or IT Essentials Work to delete JndiLookup classes from the log4j jar file.
- ITSI version 4.7.x, 4.9.x, 4.11.0:
zip -q -d org.apache.logging.log4j.log4j-core-2.13.2.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
- ITSI version 4.4.x:
zip -q -d org.apache.logging.log4j.log4j-core-2.3.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
- ITSI version 4.7.x, 4.9.x, 4.11.0:
- Make note of the updated jar's checksum
- ITSI version 4.7.x, 4.9.x, 4.11.0:
sha256sum org.apache.logging.log4j.log4j-core-2.13.2.jar
- ITSI version 4.4.x:
sha256sum org.apache.logging.log4j.log4j-core-2.3.jar
- ITSI version 4.7.x, 4.9.x, 4.11.0:
- Delete the older versions of log4j .jar files from the deployer before deploying the updated jars. To view a list of the files and their locations, see Version-specific upgrade notes for ITSI.
- Deploy the updated jars to search heads with the following command. The -target parameter specifies the URI and management port for any member of the cluster. The -auth parameter specifies credentials for the deployer instance.
$SPLUNK_HOME/bin/splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>
- Wait for deployment and rolling restart to complete.
- Log on to the search heads and verify the updated jar's checksums.
- Go to the etc/apps/SA-ITOA/lib/java/event_management/libs/ directory.
cd $SPLUNK_HOME/etc/apps/SA-ITOA/lib/java/event_management/libs/
- Verify that the checksum of the jar matches the checksum you made note of earlier.
- ITSI or IT Essentials Work version 4.7.x, 4.9.x, or 4.11.x:
sha256sum log4j-core-2.13.2.jar
- ITSI version 4.4.x:
sha256sum log4j-core-2.5.jar
- ITSI or IT Essentials Work version 4.7.x, 4.9.x, or 4.11.x:
- Go to the etc/apps/SA-ITSI-MetricAD/lib/ directory.
cd $SPLUNK_HOME/etc/apps/SA-ITSI-MetricAD/lib/
- Verify that the checksum of the jar matches the checksum you made note of earlier.
- ITSI version 4.7.x, 4.9.x, 4.11.0:
sha256sum org.apache.logging.log4j.log4j-core-2.13.2.jar
- ITSI version 4.4.x:
sha256sum org.apache.logging.log4j.log4j-core-2.3.jar
- ITSI version 4.7.x, 4.9.x, 4.11.0:
- Go to the etc/apps/SA-ITOA/lib/java/event_management/libs/ directory.
Workaround steps for self-managed deployments on a search head cluster on Windows
Follow these steps to implement a workaround for CVE-2021-44228 in self-managed deployments of Splunk IT Service Intelligence or IT Essentials Work on search head clusters in a Windows environment. You can use this fix as a workaround until you have time to upgrade to a maintenance version that addresses the vulnerability. These changes require a maintenance window of about eight to ten minutes.
Prerequisite
You must have administrative access to the operating system on the machine where ITSI or IT Essentials Work is installed to perform these steps.
For all search head clusters where ITSI or ITE Work is installed, perform the following procedures.
$SPLUNK_HOME is the directory where you installed Splunk Enterprise.
Steps
- Log on to the deployer.
- Go to the etc/shcluster/apps/SA-ITOA/lib/java/event_management/libs/ directory.
cd $SPLUNK_HOME\etc\shcluster\apps\SA-ITOA\lib\java\event_management\libs\
- Run the command that corresponds to your version of ITSI or IT Essentials Work to delete the JndiLookup classes from the log4j jar file.
- ITSI or IT Essentials Work version 4.7.x, 4.9.x, or 4.11.x:
$SPLUNK_HOME\etc\shcluster\apps\SA-ITOA\lib\java\event_management\libs>"C:\Program Files\7-Zip\7z.exe" D .\log4j-core-2.13.2.jar org\apache\logging\log4j\core\lookup\JndiLookup.class
Once the above command executes successfully, if there are log4j .jar files with versions lower than 2.13.2 in this directory, you can safely delete these .jar files with lower versions.
- ITSI version 4.4.x:
$SPLUNK_HOME\etc\shcluster\apps\SA-ITOA\lib\java\event_management\libs>"C:\Program Files\7-Zip\7z.exe" D .\log4j-core-2.5.jar org\apache\logging\log4j\core\lookup\JndiLookup.class
Once the above command executes successfully, if there are log4j .jar files with versions lower than 2.5 in this directory, you can safely delete these .jar files with lower versions.
- ITSI or IT Essentials Work version 4.7.x, 4.9.x, or 4.11.x:
- Make a note of the updated jar's checksum.
- ITSI or IT Essentials Work version 4.7.x, 4.9.x, or 4.11.x:
$SPLUNK_HOME\etc\shcluster\apps\SA-ITOA\lib\java\event_management\libs>"C:\Program Files\7-Zip\7z.exe" h .\log4j-core-2.13.2.jar
- ITSI version 4.4.x:
$SPLUNK_HOME\etc\shcluster\apps\SA-ITOA\lib\java\event_management\libs>"C:\Program Files\7-Zip\7z.exe" h .\log4j-core-2.5.jar
- ITSI or IT Essentials Work version 4.7.x, 4.9.x, or 4.11.x:
- Go to the etc/shcluster/apps/SA-ITSI-MetricAD/lib/ directory.
cd $SPLUNK_HOME\etc\shcluster\apps\SA-ITSI-MetricAD\lib\
- Run the command that corresponds to your version of ITSI or IT Essentials Work to delete JndiLookup classes from the log4j jar file.
- ITSI version 4.7.x, 4.9.x, 4.11.0:
$SPLUNK_HOME\etc\shcluster\apps\SA-ITSI-MetricAD\lib>"C:\Program Files\7-Zip\7z.exe" D .\org.apache.logging.log4j.log4j-core-2.13.2.jar org\apache\logging\log4j\core\lookup\JndiLookup.class
Once the above command executes successfully, if there are log4j .jar files with versions lower than 2.13.2 in this directory, you can safely delete these .jar files with lower versions.
- ITSI version 4.4.x:
$SPLUNK_HOME\etc\shcluster\apps\SA-ITSI-MetricAD\lib>"C:\Program Files\7-Zip\7z.exe" D .\org.apache.logging.log4j.log4j-core-2.3.jar org\apache\logging\log4j\core\lookup\JndiLookup.class
Once the above command executes successfully, if there are log4j .jar files with versions lower than 2.3 in this directory, you can safely delete these .jar files with lower versions.
- ITSI version 4.7.x, 4.9.x, 4.11.0:
- Make note of the updated jar's checksum
- ITSI version 4.7.x, 4.9.x, 4.11.0:
$SPLUNK_HOME\etc\shcluster\apps\SA-ITSI-MetricAD\lib\>"C:\Program Files\7-Zip\7z.exe" h .\org.apache.logging.log4j.log4j-core-2.13.2.jar
- ITSI version 4.4.x:
$SPLUNK_HOME\etc\shcluster\apps\SA-ITSI-MetricAD\lib\>"C:\Program Files\7-Zip\7z.exe" h .\org.apache.logging.log4j.log4j-core-2.3.jar
- ITSI version 4.7.x, 4.9.x, 4.11.0:
- Delete the older versions of log4j .jar files from the deployer before deploying the updated jars. To view a list of the files and their locations, see Version-specific upgrade notes for ITSI.
- Deploy updated jars to search heads with the following command. The -target parameter specifies the URI and management port for any member of the cluster. The -auth parameter specifies credentials for the deployer instance.
$SPLUNK_HOME\bin\splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>
- Wait for deployment and rolling restart to complete.
- Log on to the search heads and verify the updated jar's checksums.
- Go to the etc/apps/SA-ITOA/lib/java/event_management/libs/ directory.
cd $SPLUNK_HOME\etc\apps\SA-ITOA\lib\java\event_management\libs\
- Verify that the checksum of the jar matches the checksum you made note of earlier.
- ITSI or IT Essentials Work version 4.7.x, 4.9.x, or 4.11.x:
$SPLUNK_HOME\etc\apps\SA-ITOA\lib\java\event_management\libs>"C:\Program Files\7-Zip\7z.exe" h .\log4j-core-2.13.2.jar
- ITSI version 4.4.x:
$SPLUNK_HOME\etc\apps\SA-ITOA\lib\java\event_management\libs>"C:\Program Files\7-Zip\7z.exe" h .\log4j-core-2.5.jar
- ITSI or IT Essentials Work version 4.7.x, 4.9.x, or 4.11.x:
- Go to the etc/apps/SA-ITSI-MetricAD/lib/ directory.
cd $SPLUNK_HOME\etc\apps\SA-ITSI-MetricAD\lib\
- Verify that the checksum of the jar matches the checksum you made note of earlier.
- ITSI version 4.7.x, 4.9.x, 4.11.0:
$SPLUNK_HOME\etc\apps\SA-ITSI-MetricAD\lib\>"C:\Program Files\7-Zip\7z.exe" h .\org.apache.logging.log4j.log4j-core-2.13.2.jar
- ITSI version 4.4.x:
$SPLUNK_HOME\etc\apps\SA-ITSI-MetricAD\lib\>"C:\Program Files\7-Zip\7z.exe" h .\org.apache.logging.log4j.log4j-core-2.3.jar
- ITSI version 4.7.x, 4.9.x, 4.11.0:
- Go to the etc/apps/SA-ITOA/lib/java/event_management/libs/ directory.
Before you upgrade IT Service Intelligence | Upgrade IT Service Intelligence on a single instance |
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.12.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1, 4.19.0, 4.19.1, 4.19.2
Feedback submitted, thanks!