Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2024.0424
SVD-2024-0106: Sensitive Information Disclosure of Index
Metrics through “mrollup†SPL Command
23 January 2024
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Splunk Enterprise
Publisher: Splunk
Operating System: Linux variants
Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2024-23676
Original Bulletin:
https://advisory.splunk.com//advisories/SVD-2024-0106
Comment: CVSS (Max): 4.6 CVE-2024-23676 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
CVSS Source: Splunk Inc.
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
Sensitive Information Disclosure of Index Metrics through "mrollup" SPL Command
Advisory ID: SVD-2024-0106
CVE ID: CVE-2024-23676
Published: 2024-01-22
Last Update: 2024-01-22
CVSSv3.1 Score: 4.6, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CWE: CWE-20
Bug ID: VULN-8711
Description
In Splunk versions below 9.0.8 and 9.1.3, the "mrollup" SPL command lets a
low-privileged user view metrics on an index that they do not have permission
to view. This vulnerability requires user interaction from a high-privileged
user to exploit. See Splunk Enterprise Metrics for information on Metrics.
Solution
Upgrade Splunk Enterprise to versions 9.0.8, 9.1.3, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
Product Version Component Affected Version Fix Version
Splunk Enterprise 9.0 Splunk Web 9.0.0 to 9.0.7 9.0.8
Splunk Enterprise 9.1 Splunk Web 9.1.0 to 9.1.2 9.1.3
Splunk Cloud - Splunk Web Versions below 9.1.2308.200 9.1.2308.200
Mitigations and Workarounds
If users do not log in to Splunk Web on indexers in a distributed environment,
disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise
components and the web.conf configuration specification file for more
information on disabling Splunk Web.
If users do not need access to metrics indexes, remove authorization to search
those indexes. See About configuring role-based user access for information on
how to configure role-based user access.
Detections
None
Severity
Splunk rates this vulnerability a 4.6, Medium, with a CVSSv3.1 vector of
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N.
Acknowledgments
Anton (therceman)
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZa8fxMkNZI30y1K9AQhlvhAAvYXItQUJCBXW7VCN/TfglghdB9/k4pTk
Ve8hky8qYq4WmN/0egt5Z8q8ZtkRd7kNlx9vxcyeqm+33agC5ueV72f+awn6Hqwi
w3lbFKR5VoB0DpxmgNmWJhJXDhiy5xoQOsRmLx8ntcYX1QujRVqydDrRlJW9VZLd
s6gVCiag2eRdezwMqHCZX2KWVl/kTeHtm5Ylwcn09VCeXKXZreZpPCJF3EP70DV8
uNNXkcm9dVeWOOiZk8Xzqr/++fTK8k1C6gL1AGMIq1Zj2HxvNQJOXgESA8XuORGr
ZcLDvFVp88Ufmb66aCVieMqZigBkzs/2iY1DruMxD9x4BIuFd6GT5MEq3G4Q/l4U
F8yxWObGKfyqhpQ7UcauGuPsmvqMEeIwoXOYKmTioZTaPB2ew3MaH5AVDOIY+Sxp
NlHMS8LxKv4Md8TIPCwHpcVtiOCXH/pHM9tiQyXgSOOC49oJX1zk1ZsGt7bxWlxQ
lXMbzmr/A19Jgjme0eYnNAXAG8J9PINms7tCkjQKQvH2kvHhdjeMAavog5eyiQJm
nC3P4Aw3gHWdRu3QIl87f/mqz3eigOep13MyjIUu0FS3/8ZWPVU7slJJvewDw0p7
RxbQwGHD99Mc14258QMW7o5Ru2SSu2B6yWXn6yvNkYvvlrpmBPU6Mq57mFTWBeCM
AO6Ii/oyXJA=
=Va6W
-----END PGP SIGNATURE-----