Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,640 --> 00:00:06,080 hello friends welcome back to my channel 2 00:00:03,439 --> 00:00:07,679 and today we are back with another 3 00:00:06,080 --> 00:00:10,080 important topic 4 00:00:07,679 --> 00:00:11,759 so this topic we are going to talk about 5 00:00:10,080 --> 00:00:14,320 one of the critical apache 6 00:00:11,759 --> 00:00:17,118 vulnerabilities which is recently 7 00:00:14,320 --> 00:00:19,278 identified and which is a hot topic now 8 00:00:17,118 --> 00:00:22,160 because every major tech companies and 9 00:00:19,278 --> 00:00:24,640 i.t companies or other companies are 10 00:00:22,160 --> 00:00:25,760 really running uh to get this fixed so 11 00:00:24,640 --> 00:00:27,679 this is a 12 00:00:25,760 --> 00:00:30,000 high critical vulnerabilities which has 13 00:00:27,679 --> 00:00:32,558 which have to be you know fixed very 14 00:00:30,000 --> 00:00:34,719 quickly that's what the information was 15 00:00:32,558 --> 00:00:38,238 passed and this uh vulnerability is 16 00:00:34,719 --> 00:00:40,719 called apache log 4j vulnerabilities 17 00:00:38,238 --> 00:00:42,959 so but i'm not going to talk uh more 18 00:00:40,719 --> 00:00:45,200 about how you know 19 00:00:42,960 --> 00:00:47,280 this vulnerabilities is created will 20 00:00:45,200 --> 00:00:49,039 give you basic information and i'm not 21 00:00:47,280 --> 00:00:49,840 going to talk from an apache point of 22 00:00:49,039 --> 00:00:52,160 view 23 00:00:49,840 --> 00:00:54,800 uh this tutorial is more about on the 24 00:00:52,159 --> 00:00:57,759 splunk so i want to talk about i know 25 00:00:54,799 --> 00:00:59,519 there is a advisory released by splunk 26 00:00:57,759 --> 00:01:02,558 as well on this apache lock for 27 00:00:59,520 --> 00:01:06,000 vulnerability and how this is impacting 28 00:01:02,558 --> 00:01:08,158 the splunk or splunk apps you know so 29 00:01:06,000 --> 00:01:09,840 now what i'm going to talk about in this 30 00:01:08,159 --> 00:01:12,159 tutorial or i'm going to show you is 31 00:01:09,840 --> 00:01:14,000 based on that article by splunk has 32 00:01:12,159 --> 00:01:16,159 released i'll give you you know the 33 00:01:14,000 --> 00:01:18,560 details on which our applications are 34 00:01:16,159 --> 00:01:21,759 having this problem and how we can fix 35 00:01:18,560 --> 00:01:22,560 those vulnerabilities uh for uh splunk 36 00:01:21,759 --> 00:01:24,079 so 37 00:01:22,560 --> 00:01:26,478 basically you know that process will be 38 00:01:24,079 --> 00:01:28,478 applicable for you for other 39 00:01:26,478 --> 00:01:30,400 places as well but i'm not sure but 40 00:01:28,478 --> 00:01:32,799 you'll have to check how that can be 41 00:01:30,400 --> 00:01:35,359 fixed for other applications so let's 42 00:01:32,799 --> 00:01:44,219 get started 43 00:01:35,359 --> 00:01:44,219 [Music] 44 00:01:44,239 --> 00:01:48,478 to give you some basic information on 45 00:01:46,640 --> 00:01:50,960 what is lock for j software 46 00:01:48,478 --> 00:01:54,158 vulnerability so as i said you know this 47 00:01:50,959 --> 00:01:56,239 is very top uh discussions now and every 48 00:01:54,159 --> 00:01:58,880 you know uh tech companies whether it's 49 00:01:56,239 --> 00:02:00,959 you know uh twitter or apple or any 50 00:01:58,879 --> 00:02:04,000 company so i think most of everybody 51 00:02:00,959 --> 00:02:05,919 will be using this log4j library so what 52 00:02:04,000 --> 00:02:09,118 it has been found like there is a bug in 53 00:02:05,920 --> 00:02:11,759 this log4j library which is from apache 54 00:02:09,118 --> 00:02:15,439 and which allows an attacker or hacker 55 00:02:11,759 --> 00:02:18,959 to execute some code on our systems that 56 00:02:15,439 --> 00:02:21,439 uses a lock 4g to write locks okay so 57 00:02:18,959 --> 00:02:23,520 what uh it allows this because of this 58 00:02:21,439 --> 00:02:25,759 like you know it allows the hackers to 59 00:02:23,520 --> 00:02:28,879 access our complete uh 60 00:02:25,759 --> 00:02:30,878 servers or system wherever this log4j 61 00:02:28,878 --> 00:02:32,159 library is used so that's what the 62 00:02:30,878 --> 00:02:34,318 overall 63 00:02:32,159 --> 00:02:36,479 vulnerability is about and 64 00:02:34,318 --> 00:02:39,199 as i said now all the major tech 65 00:02:36,479 --> 00:02:41,119 companies are rushing to get this uh 66 00:02:39,199 --> 00:02:43,199 fixed and apache has already released 67 00:02:41,120 --> 00:02:45,840 the version so this vulnerability is 68 00:02:43,199 --> 00:02:48,959 mainly impacting on two dot uh versions 69 00:02:45,840 --> 00:02:50,840 till 2.14 some version and you know you 70 00:02:48,959 --> 00:02:54,000 can update it to 71 00:02:50,840 --> 00:02:55,360 2.15.0 or more than that and that will 72 00:02:54,000 --> 00:02:56,560 fix this problem 73 00:02:55,360 --> 00:02:59,440 so um 74 00:02:56,560 --> 00:03:02,319 the main uh reason why this uh you know 75 00:02:59,439 --> 00:03:05,759 is as a big issue is because as i said 76 00:03:02,318 --> 00:03:08,079 log4j is a library and it's mostly used 77 00:03:05,759 --> 00:03:10,639 on many java applications 78 00:03:08,080 --> 00:03:13,519 so we we know like we have a lot of java 79 00:03:10,639 --> 00:03:15,439 application most of all companies and 80 00:03:13,519 --> 00:03:18,158 all this java application 81 00:03:15,439 --> 00:03:21,199 will use some kind of logging of data 82 00:03:18,158 --> 00:03:24,079 and log4j is the best or easiest way to 83 00:03:21,199 --> 00:03:26,560 do that so every most of all company may 84 00:03:24,080 --> 00:03:28,799 be using this log4j libraries that's why 85 00:03:26,560 --> 00:03:31,360 you know now everybody is rushing to get 86 00:03:28,799 --> 00:03:34,239 this fixed so now let's talk about you 87 00:03:31,360 --> 00:03:36,080 know how this is impacting on splunk and 88 00:03:34,239 --> 00:03:37,840 we will see like what are apps which are 89 00:03:36,080 --> 00:03:39,360 having this problem how to get those 90 00:03:37,840 --> 00:03:41,920 fixed and i will also show you from 91 00:03:39,360 --> 00:03:43,760 where you can download you know the 92 00:03:41,919 --> 00:03:45,759 latest version and what are some 93 00:03:43,759 --> 00:03:47,518 solutions which is available and now how 94 00:03:45,759 --> 00:03:50,000 you can also identify 95 00:03:47,519 --> 00:03:52,879 this log4j using some scans and all 96 00:03:50,000 --> 00:03:55,199 those things so uh let's get started on 97 00:03:52,878 --> 00:03:56,959 the splunk topics before that i would 98 00:03:55,199 --> 00:03:59,280 request you like if you are new to my 99 00:03:56,959 --> 00:04:01,598 channel or if you have not subscribed to 100 00:03:59,280 --> 00:04:04,479 my channel click on the subscribe button 101 00:04:01,598 --> 00:04:06,238 and also like my video and also 102 00:04:04,479 --> 00:04:09,598 press the bell icon or give your 103 00:04:06,239 --> 00:04:11,519 comments share this videos with others 104 00:04:09,598 --> 00:04:14,079 so now coming to this 105 00:04:11,519 --> 00:04:16,160 splunk security advisory so this link i 106 00:04:14,080 --> 00:04:18,000 will give you to the video description 107 00:04:16,160 --> 00:04:20,639 so i think this is getting updated uh 108 00:04:18,000 --> 00:04:22,959 regularly on their findings so now you 109 00:04:20,639 --> 00:04:25,040 can see as per this uh 110 00:04:22,959 --> 00:04:27,359 blog itself it has clearly mentioned 111 00:04:25,040 --> 00:04:30,000 about this critical remote core 112 00:04:27,360 --> 00:04:31,879 execution vulnerabilities and it is 113 00:04:30,000 --> 00:04:34,879 based on this apache 114 00:04:31,879 --> 00:04:36,879 log4j2 version so it is from 2.0 to 115 00:04:34,879 --> 00:04:39,918 2.14.1 116 00:04:36,879 --> 00:04:42,639 so you know anything which is above you 117 00:04:39,918 --> 00:04:44,560 know 2.15.0 i think that's where they 118 00:04:42,639 --> 00:04:46,079 help release the 119 00:04:44,560 --> 00:04:48,079 version apache has released the new 120 00:04:46,079 --> 00:04:51,120 version for lock4j 121 00:04:48,079 --> 00:04:53,599 uh so we can use that to fix this now 122 00:04:51,120 --> 00:04:56,319 basically for splunk you know splunk is 123 00:04:53,600 --> 00:04:58,160 already reviewing all the products 124 00:04:56,319 --> 00:04:59,918 impacting uh because of this 125 00:04:58,160 --> 00:05:02,240 vulnerability and they're also working 126 00:04:59,918 --> 00:05:04,478 on the mitigations that's what it says 127 00:05:02,240 --> 00:05:06,960 and you know uh basically the splunk 128 00:05:04,478 --> 00:05:10,399 enterprise or you know they don't have 129 00:05:06,959 --> 00:05:12,560 an impact uh unless you can see course 130 00:05:10,399 --> 00:05:15,038 enterprise functionality does not use 131 00:05:12,560 --> 00:05:17,360 log4j so therefore no impact so if you 132 00:05:15,038 --> 00:05:20,800 are using a splunk enterprise there is 133 00:05:17,360 --> 00:05:24,000 no impact unless if you are using data 134 00:05:20,800 --> 00:05:27,120 fabric search tfs or splunk analytics 135 00:05:24,000 --> 00:05:30,079 for hadoop hung so if these two products 136 00:05:27,120 --> 00:05:32,160 are used because this how you know 137 00:05:30,079 --> 00:05:35,038 there is a impact because this product 138 00:05:32,160 --> 00:05:37,199 uses a leveraged log 4g so if you're 139 00:05:35,038 --> 00:05:39,680 using these two as part of our your 140 00:05:37,199 --> 00:05:41,199 splunk and the price then you 141 00:05:39,680 --> 00:05:43,759 will end up in some kind of 142 00:05:41,199 --> 00:05:46,160 vulnerabilities so if these features are 143 00:05:43,759 --> 00:05:48,160 not used then there is no active attack 144 00:05:46,160 --> 00:05:51,039 vector related to these vulnerabilities 145 00:05:48,160 --> 00:05:53,280 which is released on apache lock 4g so 146 00:05:51,038 --> 00:05:55,599 that's what clearly it's mentioned 147 00:05:53,279 --> 00:05:58,000 and you can also read like all the 148 00:05:55,600 --> 00:05:59,680 recent non-windows version of splunk 149 00:05:58,000 --> 00:06:02,160 enterprise 150 00:05:59,680 --> 00:06:04,240 for these features so 151 00:06:02,160 --> 00:06:06,880 and windows version does not include 152 00:06:04,240 --> 00:06:09,360 include log forge so there is no uh 153 00:06:06,879 --> 00:06:11,360 problem in that and you know we are not 154 00:06:09,360 --> 00:06:12,800 using it but there is also another steps 155 00:06:11,360 --> 00:06:15,439 you know if you 156 00:06:12,800 --> 00:06:17,038 want to you delete any unwanted jar file 157 00:06:15,439 --> 00:06:20,160 you can do that i will show you that as 158 00:06:17,038 --> 00:06:22,399 well now if you come to this product 159 00:06:20,160 --> 00:06:24,800 list so they have also listed what all 160 00:06:22,399 --> 00:06:27,198 the products which are impacted uh by 161 00:06:24,800 --> 00:06:29,360 this vulnerability so the main thing is 162 00:06:27,199 --> 00:06:32,560 like the java management extension so if 163 00:06:29,360 --> 00:06:34,800 you are using jmx plugin so this java 164 00:06:32,560 --> 00:06:36,959 plug you know management plug-in to 165 00:06:34,800 --> 00:06:39,759 capture a lot of data 166 00:06:36,959 --> 00:06:41,918 you need to know that this is using uh 167 00:06:39,759 --> 00:06:44,319 you know this jam uh j 168 00:06:41,918 --> 00:06:45,038 this um you know apache 169 00:06:44,319 --> 00:06:46,080 uh 170 00:06:45,038 --> 00:06:49,120 dot log 171 00:06:46,079 --> 00:06:52,000 log4j file okay 172 00:06:49,120 --> 00:06:54,319 sorry about so apache log4j 173 00:06:52,000 --> 00:06:57,959 files are used and you know you can see 174 00:06:54,319 --> 00:07:01,039 this version uh the impacted version is 175 00:06:57,959 --> 00:07:03,439 3.0210 so even though it says that fixes 176 00:07:01,038 --> 00:07:06,000 pending and workaround to be determined 177 00:07:03,439 --> 00:07:09,038 uh one of suggestion i can tell you is 178 00:07:06,000 --> 00:07:10,800 like you know it's uh more like a 179 00:07:09,038 --> 00:07:14,478 file right so what you can do is you can 180 00:07:10,800 --> 00:07:16,720 go to apache uh you know log 4j download 181 00:07:14,478 --> 00:07:19,680 i will give this link for that as well 182 00:07:16,720 --> 00:07:22,240 and you can download this uh you know 183 00:07:19,680 --> 00:07:24,400 tar file for linux and if you're for 184 00:07:22,240 --> 00:07:26,160 windows you can download the bin file 185 00:07:24,399 --> 00:07:28,478 and you can extract it so which will 186 00:07:26,160 --> 00:07:29,439 give you the you know complete uh list 187 00:07:28,478 --> 00:07:31,519 of 188 00:07:29,439 --> 00:07:34,000 uh the files 189 00:07:31,519 --> 00:07:36,399 so you can go to the download so if it's 190 00:07:34,000 --> 00:07:39,279 going to be zip file you can download it 191 00:07:36,399 --> 00:07:40,879 for zip file if it's for a linux machine 192 00:07:39,279 --> 00:07:43,679 you can download the tar file now you 193 00:07:40,879 --> 00:07:45,680 can see it give you the all versions so 194 00:07:43,680 --> 00:07:49,280 basically you know what we will have it 195 00:07:45,680 --> 00:07:52,079 in uh splunk jmx plugin would be 196 00:07:49,279 --> 00:07:54,478 the api and also the core 197 00:07:52,079 --> 00:07:57,519 so these two files you know it should be 198 00:07:54,478 --> 00:08:01,279 a used in the jmx plugin it will be 199 00:07:57,519 --> 00:08:04,318 available under the splunk home etc apps 200 00:08:01,279 --> 00:08:06,638 and you will have a splunk th jmx and 201 00:08:04,319 --> 00:08:08,720 inside that you will have bin and lib 202 00:08:06,639 --> 00:08:12,560 and you should be able to see these 203 00:08:08,720 --> 00:08:14,560 files like log4j api analog 4g core and 204 00:08:12,560 --> 00:08:16,720 maybe some other file as well but i've 205 00:08:14,560 --> 00:08:19,199 seen these two specifically 206 00:08:16,720 --> 00:08:21,919 so what you can do is you can you know 207 00:08:19,199 --> 00:08:23,840 rename the old files or you can you know 208 00:08:21,918 --> 00:08:26,399 make it as a backup 209 00:08:23,839 --> 00:08:28,399 then you can you know move these new 210 00:08:26,399 --> 00:08:29,279 files into that location and then you 211 00:08:28,399 --> 00:08:31,839 can 212 00:08:29,279 --> 00:08:33,918 stop the splunk and restart the splunk 213 00:08:31,839 --> 00:08:35,759 service so that should take care you 214 00:08:33,918 --> 00:08:37,038 know at least the usage of the old 215 00:08:35,759 --> 00:08:40,958 plugin 216 00:08:37,038 --> 00:08:42,559 all the no lock 4g version in your jmx 217 00:08:40,958 --> 00:08:44,479 app so i would 218 00:08:42,559 --> 00:08:47,119 say you know that's one of uh 219 00:08:44,480 --> 00:08:48,639 option i suggest um 220 00:08:47,120 --> 00:08:50,399 as far as i see you know if you just 221 00:08:48,639 --> 00:08:51,679 want to replace with all the new version 222 00:08:50,399 --> 00:08:53,759 this would be the 223 00:08:51,679 --> 00:08:56,079 easiest way unless you know splunk come 224 00:08:53,759 --> 00:08:56,799 up with some kind of solution so if you 225 00:08:56,080 --> 00:08:58,560 can 226 00:08:56,799 --> 00:09:00,639 once they come up you should be able to 227 00:08:58,559 --> 00:09:02,799 use that solution as well 228 00:09:00,639 --> 00:09:05,600 now you can see also other apps like 229 00:09:02,799 --> 00:09:06,838 jboss tomcat you know data stream 230 00:09:05,600 --> 00:09:09,759 processor 231 00:09:06,839 --> 00:09:11,279 itsi you know kafka connect and the 232 00:09:09,759 --> 00:09:12,639 price you know if you see the enterprise 233 00:09:11,278 --> 00:09:14,159 we already spoke about it it's 234 00:09:12,639 --> 00:09:16,559 applicable only for 235 00:09:14,159 --> 00:09:18,719 if you're using hung or dfs 236 00:09:16,559 --> 00:09:21,119 but basically you also have some places 237 00:09:18,720 --> 00:09:23,040 this file will be seen but even though 238 00:09:21,120 --> 00:09:24,879 it's there it's not the impacting or 239 00:09:23,039 --> 00:09:27,039 it's not used anywhere so you that's 240 00:09:24,879 --> 00:09:28,958 what it says but if you want delete them 241 00:09:27,039 --> 00:09:30,879 you can delete uh 242 00:09:28,958 --> 00:09:32,159 using some settings i will show you that 243 00:09:30,879 --> 00:09:34,639 how to do that 244 00:09:32,159 --> 00:09:37,519 and other apps like splunk enterprise 245 00:09:34,639 --> 00:09:40,000 amazon machine image splunk and docker 246 00:09:37,519 --> 00:09:42,080 container logging for java you know 247 00:09:40,000 --> 00:09:44,080 stream processor and you can see in 248 00:09:42,080 --> 00:09:46,480 which version is on-prem cloud all those 249 00:09:44,080 --> 00:09:48,240 things are defined now they also diff 250 00:09:46,480 --> 00:09:49,839 confirm that these products are not 251 00:09:48,240 --> 00:09:51,600 vulnerable so they have already gone 252 00:09:49,839 --> 00:09:54,080 through a list of uh 253 00:09:51,600 --> 00:09:56,320 apps uh so you can also see like if you 254 00:09:54,080 --> 00:09:58,160 are you know using any of this app then 255 00:09:56,320 --> 00:10:00,720 it's not vulnerable as well it's not 256 00:09:58,159 --> 00:10:04,000 using the apache lock for js you can see 257 00:10:00,720 --> 00:10:05,519 splunk universal photo now you see like 258 00:10:04,000 --> 00:10:08,159 if you want to remove even though it's 259 00:10:05,519 --> 00:10:10,799 not used for example if the does not 260 00:10:08,159 --> 00:10:13,278 leverage the presence of these libraries 261 00:10:10,799 --> 00:10:15,039 that not did not you know introduce any 262 00:10:13,278 --> 00:10:17,200 attack vector that means even though the 263 00:10:15,039 --> 00:10:18,639 file is listed there it's not 264 00:10:17,200 --> 00:10:20,959 introducing any 265 00:10:18,639 --> 00:10:21,838 uh you know or vulnerabilities or it's 266 00:10:20,958 --> 00:10:23,919 not 267 00:10:21,839 --> 00:10:25,920 introducing any attack vector 268 00:10:23,919 --> 00:10:27,599 so uh but in case if you want to be 269 00:10:25,919 --> 00:10:29,599 cautious and if you want you want to 270 00:10:27,600 --> 00:10:32,000 remove even though it's not used you 271 00:10:29,600 --> 00:10:33,600 want to remove those you have to go to 272 00:10:32,000 --> 00:10:37,519 all these location and you should be 273 00:10:33,600 --> 00:10:39,040 able to see uh these files for log 4j 274 00:10:37,519 --> 00:10:41,120 and you should you can delete them but 275 00:10:39,039 --> 00:10:43,439 you know the pro one statement they have 276 00:10:41,120 --> 00:10:45,120 given is once you remove it you know 277 00:10:43,440 --> 00:10:47,920 when you're starting up splunk you may 278 00:10:45,120 --> 00:10:50,399 get some integrity errors because these 279 00:10:47,919 --> 00:10:52,559 are files are moved and this is 280 00:10:50,399 --> 00:10:54,559 as expected because we are deleting 281 00:10:52,559 --> 00:10:57,359 those files and these errors can be 282 00:10:54,559 --> 00:11:00,719 ignored so that's what it says you know 283 00:10:57,360 --> 00:11:03,278 in the case but if you are using any any 284 00:11:00,720 --> 00:11:05,360 apps you know which as part of this list 285 00:11:03,278 --> 00:11:09,200 and specifically as i see like java apps 286 00:11:05,360 --> 00:11:11,200 like jmx plug-in or jmx app i know it's 287 00:11:09,200 --> 00:11:13,360 definitely using it so you have to go 288 00:11:11,200 --> 00:11:15,519 there and you can change uh delete those 289 00:11:13,360 --> 00:11:18,159 older version and you can put the new 290 00:11:15,519 --> 00:11:21,120 jar files over the locations so it says 291 00:11:18,159 --> 00:11:24,159 that it's mainly in the jmx app so it's 292 00:11:21,120 --> 00:11:26,240 under etc apps and the splunk tha jmx 293 00:11:24,159 --> 00:11:28,958 and bin lips which you should be able to 294 00:11:26,240 --> 00:11:30,799 see those files 295 00:11:28,958 --> 00:11:32,159 so that's what i'm to show like i'll 296 00:11:30,799 --> 00:11:34,159 give you these links in the video 297 00:11:32,159 --> 00:11:37,679 description so you can have a look into 298 00:11:34,159 --> 00:11:40,319 this you can go to this uh apache log4j 299 00:11:37,679 --> 00:11:42,559 to know a download file as well then you 300 00:11:40,320 --> 00:11:45,040 can go through it and you know you can 301 00:11:42,559 --> 00:11:47,359 download the files and you can zip unzip 302 00:11:45,039 --> 00:11:49,759 it and you can make use of that so 303 00:11:47,360 --> 00:11:51,039 that's all overall thing about this uh 304 00:11:49,759 --> 00:11:54,319 vulnerability 305 00:11:51,039 --> 00:11:57,439 so i i hope it's useful for you and uh i 306 00:11:54,320 --> 00:11:59,278 hope you know you like my videos and for 307 00:11:57,440 --> 00:12:01,920 watching more videos i will request you 308 00:11:59,278 --> 00:12:04,078 to subscribe for more videos and also 309 00:12:01,919 --> 00:12:06,250 like my videos share and comment so 310 00:12:04,078 --> 00:12:15,088 thank you for watching 311 00:12:06,250 --> 00:12:15,089 [Music] 312 00:12:15,278 --> 00:12:17,360 you 22680