Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5617 Persistent Cross-Site Scripting in "Save Table" Dialog in Splunk Enterprise 7 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Splunk Enterprise Publisher: Splunk Operating System: UNIX variants (UNIX, Linux, OSX) Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-32206 Original Bulletin: https://www.splunk.com/en_us/product-security/announcements/svd-2022-1101.html Comment: CVSS (Max): 6.4 CVE-2022-43561 (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- SPLUNK / PRODUCT SECURITY / SVD-2022-1101 Persistent Cross-Site Scripting in "Save Table" Dialog in Splunk Enterprise Advisory ID: SVD-2022-1101 CVE ID: CVE-2022-43561 Published: 2022-11-02 Last Update: 2022-11-02 CVSSv3.1 Score: 6.4, M6.4, CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U Medium /C:H/I:H/A:H CWE: CWE-79 Bug ID: SPL-207040 Description In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a remote user that holds the "power" Splunk role can store arbitrary scripts that can lead to persistent cross-site scripting (XSS). The vulnerability affects instances with Splunk Web enabled. Solution For Splunk Enterprise, upgrade versions to 8.1.12, 8.2.9, 9.0.2, or higher. For Splunk Cloud Platform versions below 9.0.2208, Splunk is actively patching and monitoring the Splunk Cloud instances. To request an immediate upgrade, determine which version of Splunk Cloud Platform you're running , then create a new support case . Product Status Product Version Component Affected Version Fixed Version Splunk Enterprise 8.1 Splunk Web 8.1.11 and lower 8.1.12 Splunk Enterprise 8.2 Splunk Web 8.2.0 to 8.2.8 8.2.9 Splunk Enterprise 9.0 Splunk Web 9.0.0 to 9.0.1 9.0.2 Splunk Cloud Platform Splunk Web 9.0.2205 and lower 9.0.2208 Mitigations and Workarounds If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on disabling Splunk Web. Detections Splunk XSS in "Save Table" dialog header in search/table page This is a detection search to find persistent XSS that was included while inputting data in the 'Save Table' dialog in the affected versions of Splunk Enterprise. Severity Splunk rated the vulnerability as Medium. The vulnerability lets a remote authenticated user with the power role to store arbitrary scripts, but exploitation requires a multistep process by the victim. Hence, Splunk scored the vulnerability as 6.4 with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:H/ UI:R/S:U/C:H/I:H/A:H. If the Splunk Enterprise instance does not run Splunk Web, there is no impact and the severity is Informational. Acknowledgments Mr Hack (try_to_hack) - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY2iH+MkNZI30y1K9AQh0TA//WuNF9+FsbL+VShSCaJ7DUTH5N9iBWRYu U+Kkp7vnkoXfFflwXSiNUsPE8ceYun6EyK2gqQWSao3gvuEAQUHGRyHh1AFZAIhK W98EmzLqDG7TbOtJ8I11cON6QSg26eejZH6n+Wtg/afFfTqssCYldSROxf6IhFe+ YHQ+Ko6027mtQtjQ1PLRRkFAo0w1IKgwCf5Js+anErnuBa/DTrrbeo/08+g22Ikh djgJWZiF93zV88N4RU+Whf9FHsJ9mZoG4QSyWhxb+WFtMssvfx1RZ2+pFAS2ygWQ HYO7Gpv1mOhANO8IuJgxhQGpzQYg64zxKqQ9L7vxSrv3eEsUpqPnIWVHJU/S2vCa dWgj1ROdFlJ8GcZrTY/YhudrZtaG0WkC2jG49SjZv2TOheHWDvqW22VD4nJtZX7I qzeUk3ay2zzV3pOmSJmQwtRGenHgUCjowLOnM0ytkrW8wrtuD4FW3KfAEKaYRIOO IS24XRsVeofb8XvETLQYUKXdf2FRH+sTZICcj7jMyeULVdnUrhMOpNlsd6UpdBtJ UYKKD02zsd30vRtQh83J/ODOZlS3NSZF0LjgXxAUV8Xi2oeUWiPDGxzg3E4Mmv+8 +OkoFreeGI3+GA/hNvu8kxj1bVfq2YSQWEyU8mZfEjKJs0xLXPxjwEnQWVlwoL4V yqU2dd05/Sg= =6Sw7 -----END PGP SIGNATURE-----