Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.3140
SVD-2023-0606: Unauthenticated Log Injection on
'/var/log/splunk/web_service.log' Log File
2 June 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Splunk Enterprise
Publisher: Splunk
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Resolution: Patch/Upgrade
CVE Names: CVE-2023-32712
Original Bulletin:
https://advisory.splunk.com//advisories/SVD-2023-0606
Comment: CVSS (Max): 3.4 CVE-2023-32712 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N)
CVSS Source: Splunk
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
Unauthenticated Log Injection on '/var/log/splunk/web_service.log' Log File
Advisory ID: SVD-2023-0606
CVE ID: CVE-2023-32712
Published: 2023-06-01
Last Update: 2023-06-01
CVSSv3.1 Score: 3.4, Low
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N
CWE: CWE-117
Bug ID: SPL-235259
Description
An attacker can use a specially crafted web URL in their browser to cause log
file injection, in which the attack inserts American National Standards
Institute (ANSI) escape codes into specific files using a terminal program that
supports those escape codes. The attack requires a terminal program that
supports the translation of ANSI escape codes and requires additional user
interaction to successfully execute.
Solution
For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher.
This vulnerability does not affect Splunk Cloud Platform instances.
Product Status
Product Version Component Affected Version Fix Version
Splunk Enterprise 8.1 Splunk Web 8.1.0 to 8.1.13 8.1.14
Splunk Enterprise 8.2 Splunk Web 8.2.0 to 8.2.10 8.2.11
Splunk Enterprise 9.0 Splunk Web 9.0.0 to 9.0.4 9.0.5
Mitigations and Workarounds
Do not use a terminal program that can send ANSI escape codes to access a
Splunk Enterprise instance.
Detections
None
Severity
Splunk rated the vulnerability as Low, 3.4, with a CVSSv3.1 vector of CVSS:3.1/
AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N.
Acknowledgments
STOK / Fredrik Alexandersson
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIUAwUBZHmFpMkNZI30y1K9AQgyYg/47YNjtddl5qeLiQ6rhjTUs8XDIzDYycw1
VFB8wNG/VEd28gENCOjFB1EnswrDKsM2jQefxu6UFcR16anvVssuysyFiWdopws/
Q/jhjbVVY8Y2wmnYeG51bZconnLMUhbCDjLdLNYbfbBZsDQhKjjSafnX0j08WOk0
W3+AOO0Sbk3zezbHUMhKSoZMxui/R6T+6Iv7K+EsbIaay1fNg4aiXajDlQjp+P0G
T9jy2AXorl9zJoWM4lsvB6GocZ9bmM9Cv93pnflF3lY2Pb0Sh70BwQxaWRDImSMK
HAwwv5fM4l3U2Ydx9s+4d4e4LieLlbn5rCXt/ebpH7bvxzm6+SciOK+BK35d+MTX
caU2YKX/GBuz8X+c39+8E5jwk7qoH1ehQWDp6X7CVZFIek5j3ltsfL0VsdLfyNd1
Ak5+iIva6ORjp+hJuu+kXgH5BM2Ef86FY0/xDIMeqm6xDxbGohVJRQv7Uz/tXcXN
IEutoKm4kjwVPOZRoOAsbDCjjsQ3v6lqJ/wthL3Z6tQEXMu5v1G0WVHfNP/cdEA2
CfoMKfea8llio9+5yZQRIOFIJuLFAgMGlnyuUxW5TKTKn6sBwXT9nsB2WTD/e6a0
/9usovgVRqwQ6UE25y5TqG/49f7DF5+84TquXXNUs2t2uLUHCLMxSug5VBiDLjdt
7RdTmYAXLA==
=xM9a
-----END PGP SIGNATURE-----