Description:

Splunk has released an alert regarding timestamps on the following Splunk platform instance types, on any operating system:

• Splunk Light
• Splunk Cloud
• Splunk Enterprise

Including: Indexers, clustered or not, Heavy forwarders, Search heads, clustered or not, Search head deployers, Deployment servers, Cluster masters, License masters.

• Splunk universal forwarders

Under the following known conditions:

1. When they have been configured to process structured data (e.g.CSV, XML, and JSON).
2. When they have been configured to process data locally.

Threats:

On January 1, 2020, these un-patched instances will mistakenly treat incoming data as having an invalid timestamp year, and could either add timestamps using the current year, or misinterpret the date incorrectly and add a timestamp with the misinterpreted date.

Best practice and Recommendations:

The CERT team encourages users to apply the necessary updates, Splunk Cloud customers will receive the fix on their Splunk Cloud instances automatically.

After that, you must perform one of these solutions:

1. Splunk has released a Splunk app that temporarily replaces the defective datetime.xml file with the fixed file.
2. Splunk is providing an updated version of the datetime.xml file for download. This option is the preferred path for customers who cannot upgrade right away to a version of the Splunk platform with the fixed file, or who run an unsupported version that is lower than 6.6.x.
3. Splunk is releasing updated versions of the Splunk platform that contain an updated datetime.xml.
4. Making changes to the datetime.xml file directly.

For more details:

https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020