Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.2963 Splunk Enterprise and Splunk Cloud Platform security update 16 June 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Splunk Enterprise Splunk Cloud Platform Publisher: Splunk Operating System: UNIX variants (UNIX, Linux, OSX) Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-32155 CVE-2022-32154 CVE-2022-32153 CVE-2022-32152 CVE-2022-32151 Original Bulletin: https://www.splunk.com/en_us/product-security/announcements/svd-2022-0601.html https://www.splunk.com/en_us/product-security/announcements/svd-2022-0602.html https://www.splunk.com/en_us/product-security/announcements/svd-2022-0603.html https://www.splunk.com/en_us/product-security/announcements/svd-2022-0604.html https://www.splunk.com/en_us/product-security/announcements/svd-2022-0605.html Comment: CVSS (Max): 8.1 CVE-2022-32153 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Splunk Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H This bulletin contains five (5) Splunk security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Splunk Enterprise disabled TLS validation using the CA certificate stores in Python 3 libraries by default CVE ID: CVE-2022-32151 Advisory ID: SVD-2022-0601 Last Update: 2022-06-14 Published: 2022-06-14 CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/ CVSSv3.1 Score: 7.4, High S:U/C:H/I:H/A:N CWE: CWE-295 Bug ID: SPL-173641, SPL-129677 CSAF: 2022-06-14-svd-2022-0601 Security Content: Splunk protocol impersonation weak encryption simplerequest Description The httplib and urllib Python libraries that Splunk shipped with Splunk Enterprise did not validate certificates using the certificate authority (CA) certificate stores by default in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203. Python 3 client libraries now verify server certificates by default and use the appropriate CA certificate stores for each library. Apps and add-ons that include their own HTTP libraries are not affected. For Splunk Enterprise, upgrade to version 9.0 or higher and Configure TLS host name validation for Splunk Python modules to enable the remediation. At the time of publishing, we have no evidence of exploitation of this vulnerability by external parties. Solution For Splunk Enterprise, upgrade to version 9.0 or higher and Configure TLS host name validation for Splunk Python modules. For Splunk Cloud Platform customers, Splunk is actively patching and monitoring Splunk Cloud instances. Product Status Product Affected Versions Splunk Enterprise Versions before 9.0 Splunk Cloud Platform Versions before 8.2.2203 Acknowledgments Chris Green at Splunk - -------------------------------------------------------------------------------- Splunk Enterprise lacked TLS certificate validation for Splunk-to-Splunk communication by default CVE ID: CVE-2022-32152 Last Update: 2022-06-14 Advisory ID: SVD-2022-0602 CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/ S:U/C:H/I:H/A:H Published: 2022-06-14 Bug ID: SPL-114067, SPL-138957 CVSSv3.1 Score: 8.1, High Security Content: CWE: CWE-295 Splunk Digital Certificates Infrastructure Version, CSAF: 2022-06-14-svd-2022-0602 Splunk Digital Certificates Lack of Encryption , Splunk protocol impersonation weak encryption selfsigned, Splunk Identified SSL TLS Certificates Description Splunk Enterprise peers in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203 did not validate the TLS certificates during Splunk-to-Splunk communications by default. Splunk peer communications configured properly with valid certificates were not vulnerable. However, an administrator could add a peer without a valid certificate and connections from misconfigured nodes without valid certificates did not fail by default. For Splunk Enterprise, update to Splunk Enterprise version 9.0 or higher and Configure TLS host validation for Splunk-to-Splunk communications to enable the remediation. At the time of publishing, we have no evidence of exploitation of this vulnerability by external parties. Solution For Splunk Enterprise, upgrade to version 9.0 or higher and Configure TLS validation for Splunk-to-Splunk communications. For Splunk Cloud Platform customers, Splunk is actively patching and monitoring Splunk Cloud instances. Product Status Product Affected Versions Splunk Enterprise Versions before 9.0 Splunk Cloud Platform Versions before 8.2.2203 Acknowledgments Chris Green at Splunk - -------------------------------------------------------------------------------- Splunk Enterprise lacked TLS host name certificate validation CVE ID: CVE-2022-32153 Last Update: 2022-06-14 Advisory ID: SVD-2022-0603 CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/ S:U/C:H/I:H/A:H Published: 2022-06-14 Bug ID: SPL-202894 CVSSv3.1 Score: 8.1, High Security Content: CWE: CWE-297 Splunk Digital Certificates Infrastructure Version, CSAF: 2022-06-14-svd-2022-0603 Splunk Digital Certificates Lack of Encryption , Splunk protocol impersonation weak encryption selfsigned, Splunk Identified SSL TLS Certificates Description Communications between Splunk nodes and trusted hosts lacked TLS certificate host name validation in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203. The vulnerability requires compromising a valid certificate within the Splunk certificate authority (CA) chain for the specific customer environment or a trusted machine's chain prior to performing a machine-in-the-middle attack. For Splunk Enterprise, update to Splunk Enterprise version 9.0 or higher and Configure TLS host name validation to enable the remediation. At the time of publishing, we have no evidence of exploitation of this vulnerability by external parties. Solution For Splunk Enterprise, upgrade to version 9.0 or higher and Configure TLS host name validation. For Splunk Cloud Platform customers, Splunk is actively patching and monitoring Splunk Cloud instances. Product Status Product Affected Versions Splunk Enterprise Versions before 9.0 Splunk Cloud Platform Versions before 8.2.2203 Acknowledgments Chris Green at Splunk - -------------------------------------------------------------------------------- Risky commands warnings in Splunk Enterprise dashboards CVE ID: CVE-2022-32154 Last Update: 2022-06-14 Advisory ID: SVD-2022-0604 CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/ Published: 2022-06-14 S:U/C:H/I:H/A:N CVSSv3.1 Score: 6.8, Medium Bug ID: SPL-201816 CWE: CWE-20 Security Content: Splunk Command and Scripting Interpreter Risky CSAF: 2022-06-14-svd-2022-0604 Commands, Splunk Command and Scripting Interpreter Risky SPL MLTK, Splunk Command and Scripting Interpreter Delete Usage Description Dashboards in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2106 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request. The result bypasses SPL safeguards for risky commands (i.e., Search Injection). See New capabilities can limit access to some custom and potentially risky commands for more information. Note that the attack is browser-based and an attacker cannot exploit it at will. The vulnerability affects instances with Splunk Web enabled. See Disable unnecessary Splunk Enterprise components and the web.conf configuration file for more information on disabling Splunk Web in forwarders. At the time of publishing, we have no evidence of exploitation of this vulnerability by external parties. Solution For Splunk Enterprise, upgrade to version 9.0 or higher. For Splunk Cloud Platform versions below 8.2.2106, Splunk is actively patching and monitoring the Splunk Cloud instances. To request an immediate upgrade, create a new support case. Check Determine which version of Splunk Enterprise you're running prior to submitting. Product Status Product Affected Versions Splunk Enterprise Versions before 9.0 Splunk Cloud Platform Versions before 8.2.2106 Acknowledgments Chris Green at Splunk Danylo Dmytriiev (DDV_UA) Anton (therceman) - -------------------------------------------------------------------------------- Universal Forwarder management services allow remote login by default Advisory ID: SVD-2022-0605 CVE ID: CVE-2022-32155 Published: 2022-06-14 Last Update: 2022-06-14 CVSSv3.1 Score: NA CVSSv3.1 Vector: NA CSAF: 2022-06-14-svd-2022-0605 Bug ID: SPL-140396 Description In universal forwarder versions before 9.0, management services are available remotely by default. When not required, it introduces a potential exposure, but it is not a vulnerability. If exposed, we recommend each customer assess the potential severity specific to your environment. In 9.0, the universal forwarder now binds the management port to localhost preventing remote logins by default. If management services are not required in versions before 9.0, set disableDefaultPort = true in server.conf OR allowRemoteLogin = never in server.conf OR mgmtHostPort = localhost in web.conf . See Configure universal forwarder management security for more information on disabling the remote management services. The potential exposure does not affect Splunk Enterprise instances. At the time of publishing, we have no evidence of exploitation of this vulnerability by external parties. Solution Upgrade Universal Forwarder versions to 9.0 OR set disableDefaultPort = true in server.conf OR allowRemoteLogin = never in server.conf OR mgmtHostPort = localhost in web.conf. Product Status Product Affected Versions Splunk Enterprise Versions before 9.0 Splunk Cloud Platform Versions before 8.2.2106 Acknowledgments Chris Green at Splunk - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYqqye8kNZI30y1K9AQggqxAAsdvTsj9bpaawFfoC5gkYD4lDvJ7LtEJQ ZAx4X/laLIDWnySuuZtjIHUCJCHunD7uJIeQ0fXjStCSUqbEzANrW+hrLm5AuyUB 3/71krceBSwKK30YYMz3b7FN1lDjO86vs1FbVc4rVyWZ+VembYM6/wVqAUgf8kSX FFvXHpKQ35Bt8OI6I1Bk1y3a/XsiQ/3ubYndui/qcJ9ON1F2xv1dPgQjM/FrRQt0 MUknHqIMCbLNgVBucEMOfWtRMXUxutingasx3tQwsJf3Hpk/tG+lBNwiOoPw+lhF pzPFHn4Rw/tSknQA+JtR+N3umSHd55Y2ip8oMrbswxH7iiBh/U82ukhTMEUMvfY+ yG8ChBEKh7IaJ7dgofCJkrlLNdb6bqkxdzqw1AoaLkn1Y16NR2kSmPib47DLekh3 Nzhd/IITvV2OZi82IeLBKWilar3NGn6Uu/bcwlk5bjjst/HrGxK4FCWjCaS9Stia ZovSFE8kVm0Jv0/c456UyRwQj8C9h+x2NEgMIKUSxIyEMaIAi1lyaqi2+hcEv0Vo tuseWXOWp4dIfCh5XRY4V87mz4tau6nR+VYsKYfCYuzKohmhfu6XOxbpapcprpuT kHUsuYh8HJmJWSysiSG8VwG1AxXGmUvcg2MgVJJDrwNXnunwpYSF6xZvMcVntfqx 6m0XaVZs2Ro= =dwrj -----END PGP SIGNATURE-----