Operating System:

[WIN][UNIX/Linux]

Published:

10 January 2024

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2024.0150 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2024.0150
   SVD-2024-0102: Denial of Service in Splunk Enterprise Security of the
           Investigations manager through Investigation creation
                              10 January 2024

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Splunk Enterprise Security
Publisher:         Splunk
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Resolution:        Patch/Upgrade
CVE Names:         CVE-2024-22165  

Original Bulletin: 
   https://advisory.splunk.com//advisories/SVD-2024-0102

Comment: CVSS (Max):  6.5 CVE-2024-22165 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
         CVSS Source: Splunk Inc.
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

Denial of Service in Splunk Enterprise Security of the Investigations manager
through Investigation creation

Advisory ID: SVD-2024-0102

CVE ID: CVE-2024-22165

Published: 2024-01-09

Last Update: 2024-01-09

CVSSv3.1 Score: 6.5, Medium

CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-20

Bug ID: SOLNESS-35977

Description

In Splunk Enterprise Security (ES) versions lower than 7.1.2, an attacker can
create a malformed Investigation to perform a denial of service (DoS). The
malformed investigation prevents the generation and rendering of the
Investigations manager until it is deleted.
The vulnerability requires an authenticated session and access to create an
Investigation. It only affects the availability of the Investigations manager,
but without the manager, the Investigations functionality becomes unusable for
most users.

Solution

Upgrade Splunk Enterprise Security (ES) to version 7.1.2, 7.2.0, 7.3.0 or
higher.

Product Status

            Product             Version Component Affected Version Fix Version
Splunk Enterprise Security (ES) 7.3     -         -                7.3.0
Splunk Enterprise Security (ES) 7.2     -         -                7.2.0
Splunk Enterprise Security (ES) 7.1     -         Below 7.1.2      7.1.2

Mitigations and Workarounds

N/A

Detections

None

Severity

Splunk rates this vulnerability a 6.5, Medium, with a CVSSv3.1 vector of
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Acknowledgments

Eric LaMothe, Splunk

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZZ3vH8kNZI30y1K9AQjSDw//dVmAtFRKuMFURhfWzXZyn5c9Gbdpzf2Q
qm16tf1m+wZEnJEPU4Z7fhXpI6aXYvFoSe/zjVKxT/aF5pgEzmb7JoIEsXFjuZxv
QVjlYpz2dNyolVLM30J9rIjH8c+hc7N5JyVdnSYJ48BeeSlHrhApIqIZYgGqnu8M
f5N39HTo71BcNbxD9PMxZS8XFnTKj8q1737sou3MBrpkQYuEC9/Pivi+oLFZHzLn
n8UIQwSbUke7kWSR6/JMjpeEyDF51c6GywlFxOW8OdpRrlvkSoFUEPPRTv+8ZIV8
4SkBIs/fKSSu0DAuJ/V0fFsgrDvuPWG3Km/7CgyHQ71Yz5/1wSjvUyEwluy8ZiMN
a3CkIkS7Wh1re+36HqMPCkn/oMc7CMas611+zbqQEfM7ckMO8Jm5wc4bYp5UT2jZ
6ddV5vX/TPS0QcW8hFaxZNuXDuo+R7JUolyC6nKn64W4W0HFnp7QOQHx/DZipFjn
zgo/2alnCXkRYTPnmOcX/BLZe0RHdz40/LUzebRzjVXAkhZ+FVlktVlRgQSA43Tj
4htqxy3OMvA2gO6cGIm69bLYne1fEzRUmBTVS4JSlsR6B8WDfkSvMoFFHQDqNvNE
pVn/+7/MYdilH9lNyD8lnZ9227i8kI3cKBFCh1EYFIZozL5QLC8eeyc1V10/E/EQ
QDCDY8Fmvy8=
=QGWA
-----END PGP SIGNATURE-----