Log4j in Splunk UBA 5.1.0
In Splunk UBA version 5.1.0, all Log4j related jars in the OS packages have either been removed or replaced by Reload4j besides the following. The following packages have been patched to remove vulnerable classes:
- Log4j 1.2.x in the Impala OS library
/usr/lib/impala/lib
(inside the Impala container), also visible in/var/vcap/store/docker/overlay2/.../usr/lib/impala/lib/
:- org/apache/log4j/net/SocketAppender.class: CVE-2019-17571
- org/apache/log4j/net/SocketServer.class: CVE-2019-17571
- org/apache/log4j/net/SMTPAppender$1.class: CVE-2020-9488
- org/apache/log4j/net/SMTPAppender.class: CVE-2020-9488
- org/apache/log4j/net/JMSAppender.class: CVE-2021-4104
- org/apache/log4j/net/JDBCAppender.class: CVE-2022-23305
- org/apache/log4j/chainsaw/*.class: CVE-2022-23307
- Log4j 2.x in the Hive OS library
/usr/lib/hive/lib
:- org/apache/logging/log4j/core/lookup/JndiLookup.class: CVE-2021-44228
- Non-core Log4j files which do not contain critical or high vulnerabilities.
You can run the following command to remediate CVE-2021-44228: sudo zip -q -d /usr/lib/hive/jdbc/hive-jdbc* org/apache/logging/log4j/core/lookup/JndiLookup.class
How to remove obsolete Log4j residual files from previous Splunk UBA deployments
The Splunk UBA 5.1.0 upgrade process removes all vulnerable Log4j files or replaces them with the patched version listed in step 1 in the previous section. In the event you find residual Log4j files in the following identified paths, you can use these instructions and remove any obsolete Log4j files.
Remove Apache Spark containing Log4j libraries
You can remove Log4j 1.2.x jars from the /var/vcap.save
backup directory if applicable.
Splunk UBA includes Apache Spark containing Log4j libraries. Apache Spark Log4j libraries are under the following file path: $SPLUNK_HOME/bin/jars/vendors/spark file path
Perform the following steps to remove Log4j from all Splunk UBA deployments:
- Log in to each Splunk UBA node as the caspida user.
- Run the following command to remove files under the Apache Spark directory on the Splunk home directory
/opt/splunk
:sudo rm -rf /opt/splunk/bin/jars/vendors/spark/*
- After you remove
/opt/splunk/bin/jars/vendors/spark/*
from all Splunk UBA nodes, log in to the Splunk UBA management node as the caspida user and run the following commands to restart Splunk UBA:/opt/caspida/bin/Caspida stop-all /opt/caspida/bin/Caspida start-all
Remove Apache Storm Log4j libraries
Splunk UBA includes Apache Storm which contains Log4j-2.x libraries. Apache Storm Log4j libraries are under the following file path: /usr/share/apache-storm*
In Splunk UBA 5.1.0, you can remove Apache Storm to also remove Log4j-2.x in your deployment.
Perform the following steps to remove Apache Storm and the corresponding Log4j-2.x libraries:
- Log in to each Splunk UBA node as the caspida user.
- Run the following command to the Apache Storm directory and corresponding files:
sudo rm -rf /usr/share/apache-storm*
- After you remove
usr/share/apache-storm*
from all Splunk UBA nodes, log in to the Splunk UBA management node as the caspida user. - On the Splunk UBA management node only, run the following commands to restart Splunk UBA:
/opt/caspida/bin/Caspida stop-all /opt/caspida/bin/Caspida start-all
Fixed issues in Splunk UBA | Getting help with Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.1.0
Feedback submitted, thanks!