Log4j in Splunk UBA 5.3.0
In Splunk UBA version 5.3.0, all Log4j related jars in the OS packages have either been removed or replaced by Reload4j besides the following.
The following packages have been patched to remove vulnerable classes:
- Log4j 1.2.x in
/var/vcap/store/docker/aufs/diff/<Image Layer ID>/usr/lib/impala/lib/
:- org/apache/log4j/net/SocketAppender.class: CVE-2019-17571
- org/apache/log4j/net/SocketServer.class: CVE-2019-17571
- org/apache/log4j/net/SMTPAppender$1.class: CVE-2020-9488
- org/apache/log4j/net/SMTPAppender.class: CVE-2020-9488
- org/apache/log4j/net/JMSAppender.class: CVE-2021-4104
- org/apache/log4j/net/JDBCAppender.class: CVE-2022-23305
- org/apache/log4j/chainsaw/*.class: CVE-2022-23307
This can also be safely resolved by removing the /var/vcap/store/docker/aufs/diff/ directory, as mentioned in the Known issue UBA-17734.
- Log4j 2.x in the Hive OS library
/usr/lib/hive/lib
:- org/apache/logging/log4j/core/lookup/JndiLookup.class: CVE-2021-44228
- Non-core Log4j files which do not contain critical or high vulnerabilities.
Fixed issues in Splunk UBA | Getting help with Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.3.0
Feedback submitted, thanks!