Splunk warning over Y2K-style bug set to hit all versions on 1st January 2020

Splunk users urged to patch immediately

Splunk has disclosed a flaw in its platform that would cause timestamp recognition of dates with two-digit years to fail - starting on New Year's Day.

The issue affects all unpatched Splunk instances, including Splunk Light, Enterprise, and Cloud, on all operating systems. According to Splunk, it would keep users from getting correct results when they query threat data for crucial information.

"Beginning on January 1, 2020, un-patched Splunk platform instances will be unable to recognise timestamps from events where the date contains a two-digit year," the company warned in an advisory released this week.

The issue affects all unpatched Splunk instances, including Splunk Light, Enterprise, and Cloud, on all operating systems

"This means data that meets this criteria will be indexed with incorrect timestamps," the advisory added.

The bug disclosed by Splunk draws similarities to the infamous Year 2000 (Y2K) issue that was associated with the roll over of year in computer systems from 1999 to 2000. At that time, it was widely believed that the bug would result in collapse of computer systems infrastructure around the world.

According to Splunk, the bug in its platform will mark the change in system date to 1st January 2020 as invalid. It will then either default back to a 2019 date or add some incorrect "misinterpreted date".

The issue stems from a flawed file called datetime.xml, which is used to determine correct timestamps based on incoming data.

There is no technique to correct the timestamps after the Splunk platform ingests the data. If an unpatched platform instance ingests the data, the user will need to first patch the instance and then ingest the data again for timestamps to be correct.

According to Splunk, the bug for all operating systems can be patched in three ways:

• Download the latest version of datetime.xml file and apply it to each of Splunk platform instances
• Modify the existing datetime.xml file manually on Splunk platform instances
• Update Splunk platform instances to a version with latest datetime.xml version

Splunk also revealed that starting 13th September 2020 at 12:26:39 PM UTC, all unpatched Splunk instances will stop recognising timestamps for events with dates based on Unix time.

Splunk is a data analytics platform provider based in San Francisco. The company focuses on business analytics and software monitoring services and has a customer base of nearly 19,000 users worldwide.