Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.2963
Splunk Enterprise and Splunk Cloud Platform security update
16 June 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Splunk Enterprise
Splunk Cloud Platform
Publisher: Splunk
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2022-32155 CVE-2022-32154 CVE-2022-32153
CVE-2022-32152 CVE-2022-32151
Original Bulletin:
https://www.splunk.com/en_us/product-security/announcements/svd-2022-0601.html
https://www.splunk.com/en_us/product-security/announcements/svd-2022-0602.html
https://www.splunk.com/en_us/product-security/announcements/svd-2022-0603.html
https://www.splunk.com/en_us/product-security/announcements/svd-2022-0604.html
https://www.splunk.com/en_us/product-security/announcements/svd-2022-0605.html
Comment: CVSS (Max): 8.1 CVE-2022-32153 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Splunk
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
This bulletin contains five (5) Splunk security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Splunk Enterprise disabled TLS validation using the CA certificate stores in
Python 3 libraries by default
CVE ID: CVE-2022-32151
Advisory ID: SVD-2022-0601
Last Update: 2022-06-14
Published: 2022-06-14
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/
CVSSv3.1 Score: 7.4, High S:U/C:H/I:H/A:N
CWE: CWE-295 Bug ID: SPL-173641, SPL-129677
CSAF: 2022-06-14-svd-2022-0601 Security Content: Splunk protocol impersonation
weak encryption simplerequest
Description
The httplib and urllib Python libraries that Splunk shipped with Splunk
Enterprise did not validate certificates using the certificate authority (CA)
certificate stores by default in Splunk Enterprise versions before 9.0 and
Splunk Cloud Platform versions before 8.2.2203. Python 3 client libraries now
verify server certificates by default and use the appropriate CA certificate
stores for each library. Apps and add-ons that include their own HTTP libraries
are not affected.
For Splunk Enterprise, upgrade to version 9.0 or higher and Configure TLS host
name validation for Splunk Python modules to enable the remediation.
At the time of publishing, we have no evidence of exploitation of this
vulnerability by external parties.
Solution
For Splunk Enterprise, upgrade to version 9.0 or higher and Configure TLS host
name validation for Splunk Python modules.
For Splunk Cloud Platform customers, Splunk is actively patching and monitoring
Splunk Cloud instances.
Product Status
Product Affected Versions
Splunk Enterprise Versions before 9.0
Splunk Cloud Platform Versions before 8.2.2203
Acknowledgments
Chris Green at Splunk
- --------------------------------------------------------------------------------
Splunk Enterprise lacked TLS certificate validation for Splunk-to-Splunk
communication by default
CVE ID: CVE-2022-32152
Last Update: 2022-06-14
Advisory ID: SVD-2022-0602 CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/
S:U/C:H/I:H/A:H
Published: 2022-06-14
Bug ID: SPL-114067, SPL-138957
CVSSv3.1 Score: 8.1, High
Security Content:
CWE: CWE-295 Splunk Digital Certificates Infrastructure
Version,
CSAF: 2022-06-14-svd-2022-0602 Splunk Digital Certificates Lack of Encryption
,
Splunk protocol impersonation weak encryption
selfsigned,
Splunk Identified SSL TLS Certificates
Description
Splunk Enterprise peers in Splunk Enterprise versions before 9.0 and Splunk
Cloud Platform versions before 8.2.2203 did not validate the TLS certificates
during Splunk-to-Splunk communications by default. Splunk peer communications
configured properly with valid certificates were not vulnerable. However, an
administrator could add a peer without a valid certificate and connections from
misconfigured nodes without valid certificates did not fail by default.
For Splunk Enterprise, update to Splunk Enterprise version 9.0 or higher and
Configure TLS host validation for Splunk-to-Splunk communications to enable the
remediation.
At the time of publishing, we have no evidence of exploitation of this
vulnerability by external parties.
Solution
For Splunk Enterprise, upgrade to version 9.0 or higher and Configure TLS
validation for Splunk-to-Splunk communications.
For Splunk Cloud Platform customers, Splunk is actively patching and monitoring
Splunk Cloud instances.
Product Status
Product Affected Versions
Splunk Enterprise Versions before 9.0
Splunk Cloud Platform Versions before 8.2.2203
Acknowledgments
Chris Green at Splunk
- --------------------------------------------------------------------------------
Splunk Enterprise lacked TLS host name certificate validation
CVE ID: CVE-2022-32153
Last Update: 2022-06-14
Advisory ID: SVD-2022-0603 CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/
S:U/C:H/I:H/A:H
Published: 2022-06-14
Bug ID: SPL-202894
CVSSv3.1 Score: 8.1, High
Security Content:
CWE: CWE-297 Splunk Digital Certificates Infrastructure
Version,
CSAF: 2022-06-14-svd-2022-0603 Splunk Digital Certificates Lack of Encryption
,
Splunk protocol impersonation weak encryption
selfsigned,
Splunk Identified SSL TLS Certificates
Description
Communications between Splunk nodes and trusted hosts lacked TLS certificate
host name validation in Splunk Enterprise versions before 9.0 and Splunk Cloud
Platform versions before 8.2.2203. The vulnerability requires compromising a
valid certificate within the Splunk certificate authority (CA) chain for the
specific customer environment or a trusted machine's chain prior to performing
a machine-in-the-middle attack.
For Splunk Enterprise, update to Splunk Enterprise version 9.0 or higher and
Configure TLS host name validation to enable the remediation.
At the time of publishing, we have no evidence of exploitation of this
vulnerability by external parties.
Solution
For Splunk Enterprise, upgrade to version 9.0 or higher and Configure TLS host
name validation.
For Splunk Cloud Platform customers, Splunk is actively patching and monitoring
Splunk Cloud instances.
Product Status
Product Affected Versions
Splunk Enterprise Versions before 9.0
Splunk Cloud Platform Versions before 8.2.2203
Acknowledgments
Chris Green at Splunk
- --------------------------------------------------------------------------------
Risky commands warnings in Splunk Enterprise dashboards
CVE ID: CVE-2022-32154
Last Update: 2022-06-14
Advisory ID: SVD-2022-0604
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/
Published: 2022-06-14 S:U/C:H/I:H/A:N
CVSSv3.1 Score: 6.8, Medium Bug ID: SPL-201816
CWE: CWE-20 Security Content:
Splunk Command and Scripting Interpreter Risky
CSAF: 2022-06-14-svd-2022-0604 Commands,
Splunk Command and Scripting Interpreter Risky
SPL MLTK,
Splunk Command and Scripting Interpreter
Delete Usage
Description
Dashboards in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform
versions before 8.2.2106 might let an attacker inject risky search commands
into a form token when the token is used in a query in a cross-origin request.
The result bypasses SPL safeguards for risky commands (i.e., Search Injection).
See New capabilities can limit access to some custom and potentially risky
commands for more information. Note that the attack is browser-based and an
attacker cannot exploit it at will.
The vulnerability affects instances with Splunk Web enabled. See Disable
unnecessary Splunk Enterprise components and the web.conf configuration file
for more information on disabling Splunk Web in forwarders.
At the time of publishing, we have no evidence of exploitation of this
vulnerability by external parties.
Solution
For Splunk Enterprise, upgrade to version 9.0 or higher.
For Splunk Cloud Platform versions below 8.2.2106, Splunk is actively patching
and monitoring the Splunk Cloud instances. To request an immediate upgrade,
create a new support case. Check Determine which version of Splunk Enterprise
you're running prior to submitting.
Product Status
Product Affected Versions
Splunk Enterprise Versions before 9.0
Splunk Cloud Platform Versions before 8.2.2106
Acknowledgments
Chris Green at Splunk
Danylo Dmytriiev (DDV_UA)
Anton (therceman)
- --------------------------------------------------------------------------------
Universal Forwarder management services allow remote login by default
Advisory ID: SVD-2022-0605 CVE ID: CVE-2022-32155
Published: 2022-06-14 Last Update: 2022-06-14
CVSSv3.1 Score: NA CVSSv3.1 Vector: NA
CSAF: 2022-06-14-svd-2022-0605 Bug ID: SPL-140396
Description
In universal forwarder versions before 9.0, management services are available
remotely by default. When not required, it introduces a potential exposure, but
it is not a vulnerability. If exposed, we recommend each customer assess the
potential severity specific to your environment.
In 9.0, the universal forwarder now binds the management port to localhost
preventing remote logins by default. If management services are not required in
versions before 9.0, set disableDefaultPort = true in server.conf OR
allowRemoteLogin = never in server.conf OR mgmtHostPort = localhost in web.conf
. See Configure universal forwarder management security for more information on
disabling the remote management services.
The potential exposure does not affect Splunk Enterprise instances. At the time
of publishing, we have no evidence of exploitation of this vulnerability by
external parties.
Solution
Upgrade Universal Forwarder versions to 9.0 OR set disableDefaultPort = true in
server.conf OR allowRemoteLogin = never in server.conf OR mgmtHostPort =
localhost in web.conf.
Product Status
Product Affected Versions
Splunk Enterprise Versions before 9.0
Splunk Cloud Platform Versions before 8.2.2106
Acknowledgments
Chris Green at Splunk
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBYqqye8kNZI30y1K9AQggqxAAsdvTsj9bpaawFfoC5gkYD4lDvJ7LtEJQ
ZAx4X/laLIDWnySuuZtjIHUCJCHunD7uJIeQ0fXjStCSUqbEzANrW+hrLm5AuyUB
3/71krceBSwKK30YYMz3b7FN1lDjO86vs1FbVc4rVyWZ+VembYM6/wVqAUgf8kSX
FFvXHpKQ35Bt8OI6I1Bk1y3a/XsiQ/3ubYndui/qcJ9ON1F2xv1dPgQjM/FrRQt0
MUknHqIMCbLNgVBucEMOfWtRMXUxutingasx3tQwsJf3Hpk/tG+lBNwiOoPw+lhF
pzPFHn4Rw/tSknQA+JtR+N3umSHd55Y2ip8oMrbswxH7iiBh/U82ukhTMEUMvfY+
yG8ChBEKh7IaJ7dgofCJkrlLNdb6bqkxdzqw1AoaLkn1Y16NR2kSmPib47DLekh3
Nzhd/IITvV2OZi82IeLBKWilar3NGn6Uu/bcwlk5bjjst/HrGxK4FCWjCaS9Stia
ZovSFE8kVm0Jv0/c456UyRwQj8C9h+x2NEgMIKUSxIyEMaIAi1lyaqi2+hcEv0Vo
tuseWXOWp4dIfCh5XRY4V87mz4tau6nR+VYsKYfCYuzKohmhfu6XOxbpapcprpuT
kHUsuYh8HJmJWSysiSG8VwG1AxXGmUvcg2MgVJJDrwNXnunwpYSF6xZvMcVntfqx
6m0XaVZs2Ro=
=dwrj
-----END PGP SIGNATURE-----