Splunk jQuery 3.5 Upgrade: Make a Plan

Scott Eagles - October 2021

 

What is jQuery?

jQuery is a framework built using JavaScript capabilities to simplify web development. Splunk primarily uses jQuery in simple XML dashboards and some deprecated HTML dashboards. This means that it is present in Splunk Enterprise, ITSI, MLTK, ES, Splunkbase and private applications.

 

 

What is the problem?

There are some known cross site scripting (XSS) related vulnerabilities as well as vulnerabilities created by object prototype pollution in the current and previous versions of Splunk. 

 

Why should you care?

Apps that are not updated by August 31, 2021 will be considered insecure. New apps and new versions of existing apps that are published to Splunkbase will not be made public if they contain outdated jQuery dependencies. The vetting process used to approve Splunkbase and private apps for installation in Splunk Cloud will start enforcing usage of jQuery 3.5 or newer at this time as well.

 

What will the possible impacts be outside of being vulnerable if nothing is done?

  • Incompatibility will exist between versions of Splunk, Splunkbase Apps and custom apps (dashboards created using jQuery and embedded Splunk functions).
  • Applications and dashboards could malfunction if they are not identified and updated.
  • Applications will not pass Splunk’s App Inspect tool (AppInspect) that is used to validate the quality of a Splunk app against a set of Splunk-defined criteria to determine whether the app is ready for production.

 

What is the solution?

Although mitigation efforts reduce the attack surface for these vulnerabilities, upgrading to the latest version of jQuery provides customers better security. This upgrade not only improves security but potentially offers a performance boost due to faster script execution and loading time. In addition, apps that are jQuery 3.5 compliant will be compatible with Splunk Enterprise version 8.2 (Cloud 8.1.2103) and future releases. 

 

How to prepare for jQuery 3.5 and Splunk 8.3+

Identify potential dashboards and Splunk apps that need to be updated.

  • Simple XML dashboard without custom JavaScript (most user developed dashboards) – should not experience errors as a result of the upgrade to jQuery 3.5. Likely no action is needed.
  • Simple XML dashboard with custom JavaScript – Update the dashboard to rely on jQuery 3.5 only.
  • HTML dashboard – HTML dashboards are deprecated. Rebuild them in Dashboard Studio. 
  • Custom Splunk Apps – Update apps to ensure they support jQuery 3.5 and validate using the latest version of Splunk AppInspect.

 

Plan and upgrade Splunk and Splunkbase Apps. Use the table below to identify what Splunk jQuery 3.5 compliant product versions to upgrade to.

 

Splunk jQuery 3.5 Compliant Products

Product

Version

Splunk Enterprise Cloud

v 8.2.2105.2 or newer

Splunk Enterprise On-Prem

v 8.3

Splunk Enterprise Security (Cloud and On-Prem)

v 6.6

Splunk ITSI Cloud

v 4.10.0

Splunk ITSI On-Prem

v 4.11.0

Splunk MLTK

v 5.2.2

Splunk Supported Applications

Varies

Third Party Applications

Varies

 

  1. Upgrade Splunk Enterprise
  2. Upgrade Splunk Premium Apps
  3. Upgrade Splunk Splunkbase Apps
  4. Update Dashboards and Custom Apps*

 

*No need to manually validate each custom application as Splunk is including a jQuery readiness dashboard (Splunk Admins only) in Splunk 8.3+ to identify jQuery versions prior to 3.5. In addition, Administrators will have the option to utilize older jQuery on a dashboard-by-dashboard basis while upgrading to the newer version (for a limited time).

 

There’s an opportunity for a smooth transition to jQuery 3.5 if you plan ahead and take necessary actions to identify potential conflicts and resolve them. Do not let the opportunity slip by, take advantage of this time.

 

As always, if time and resources are not on your side, Arcus Data can help you identify, plan and transition your Splunk environment efficiently.



More resources