Splunk® User Behavior Analytics

Release Notes

This documentation does not apply to the most recent version of Splunk® User Behavior Analytics. For documentation on the most recent version, go to the latest release.

Log4j in Splunk UBA 5.1.0

In Splunk UBA version 5.1.0, all Log4j related jars in the OS packages have either been removed or replaced by Reload4j besides the following. The following packages have been patched to remove vulnerable classes:

  1. Log4j 1.2.x in the Impala OS library /usr/lib/impala/lib (inside the Impala container), also visible in /var/vcap/store/docker/overlay2/.../usr/lib/impala/lib/:
    1. org/apache/log4j/net/SocketAppender.class: CVE-2019-17571
    2. org/apache/log4j/net/SocketServer.class: CVE-2019-17571
    3. org/apache/log4j/net/SMTPAppender$1.class: CVE-2020-9488
    4. org/apache/log4j/net/SMTPAppender.class: CVE-2020-9488
    5. org/apache/log4j/net/JMSAppender.class: CVE-2021-4104
    6. org/apache/log4j/net/JDBCAppender.class: CVE-2022-23305
    7. org/apache/log4j/chainsaw/*.class: CVE-2022-23307
  2. Log4j 2.x in the Hive OS library /usr/lib/hive/lib:
    1. org/apache/logging/log4j/core/lookup/JndiLookup.class: CVE-2021-44228
  3. Non-core Log4j files which do not contain critical or high vulnerabilities.

You can run the following command to remediate CVE-2021-44228: sudo zip -q -d /usr/lib/hive/jdbc/hive-jdbc* org/apache/logging/log4j/core/lookup/JndiLookup.class

How to remove obsolete Log4j residual files from previous Splunk UBA deployments

The Splunk UBA 5.1.0 upgrade process removes all vulnerable Log4j files or replaces them with the patched version listed in step 1 in the previous section. In the event you find residual Log4j files in the following identified paths, you can use these instructions and remove any obsolete Log4j files.

Remove Apache Spark containing Log4j libraries

You can remove Log4j 1.2.x jars from the /var/vcap.save backup directory if applicable.

Splunk UBA includes Apache Spark containing Log4j libraries. Apache Spark Log4j libraries are under the following file path: $SPLUNK_HOME/bin/jars/vendors/spark file path

Perform the following steps to remove Log4j from all Splunk UBA deployments:

  1. Log in to each Splunk UBA node as the caspida user.
  2. Run the following command to remove files under the Apache Spark directory on the Splunk home directory /opt/splunk:
    sudo rm -rf /opt/splunk/bin/jars/vendors/spark/*
  3. After you remove /opt/splunk/bin/jars/vendors/spark/* from all Splunk UBA nodes, log in to the Splunk UBA management node as the caspida user and run the following commands to restart Splunk UBA:
    /opt/caspida/bin/Caspida stop-all
    /opt/caspida/bin/Caspida start-all
    

Remove Apache Storm Log4j libraries

Splunk UBA includes Apache Storm which contains Log4j-2.x libraries. Apache Storm Log4j libraries are under the following file path: /usr/share/apache-storm*

In Splunk UBA 5.1.0, you can remove Apache Storm to also remove Log4j-2.x in your deployment.

Perform the following steps to remove Apache Storm and the corresponding Log4j-2.x libraries:

  1. Log in to each Splunk UBA node as the caspida user.
  2. Run the following command to the Apache Storm directory and corresponding files:
    sudo rm -rf /usr/share/apache-storm*
  3. After you remove usr/share/apache-storm* from all Splunk UBA nodes, log in to the Splunk UBA management node as the caspida user.
  4. On the Splunk UBA management node only, run the following commands to restart Splunk UBA:
    /opt/caspida/bin/Caspida stop-all
    /opt/caspida/bin/Caspida start-all
    
Last modified on 26 October, 2022
Fixed issues in Splunk UBA   Getting help with Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.1.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters