-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2015.0044
         Splunk Enterprise and Splunk Light version 6.2.3 correct
                         multiple vulnerabilities
                                5 May 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Splunk Enterprise
                      Splunk Light
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Access Privileged Data         -- Remote/Unauthenticated      
                      Denial of Service              -- Remote/Unauthenticated      
                      Cross-site Scripting           -- Remote with User Interaction
                      Provide Misleading Information -- Remote/Unauthenticated      
                      Reduced Security               -- Remote/Unauthenticated      
Resolution:           Patch/Upgrade
CVE Names:            CVE-2015-1787 CVE-2015-0293 CVE-2015-0292
                      CVE-2015-0291 CVE-2015-0290 CVE-2015-0289
                      CVE-2015-0288 CVE-2015-0287 CVE-2015-0286
                      CVE-2015-0285 CVE-2015-0209 CVE-2015-0208
                      CVE-2015-0204  
Member content until: Thursday, June  4 2015
Reference:            ASB-2015.0035
                      ASB-2015.0031
                      ASB-2015.0027
                      ESB-2015.1200
                      ESB-2015.1189
                      ESB-2015.1139

OVERVIEW

        A number of vulnerabilities have been identified in Splunk 
        Enterprise and Splunk Light prior to version 6.2.3. [1]


IMPACT

        The vendor has provided the following details regarding the 
        vulnerabilities:
        
        "Multiple vulnerabilities in OpenSSL before 1.0.1m (SPL-98531)
        
        Description: Splunk Enterprise 6.2.x before 6.2.3 and Splunk Light 
        6.2.x before 6.2.3 are affected by multiple OpenSSL vulnerabilities
        resolved by OpenSSL 1.0.1m. The most severe of these issues could 
        result in a crash during TLS connections". [1]
        
        The above OpenSSL vulnerabilities have been detailed as follows:
        
        "CVE-2015-0291: If a client connects to an OpenSSL 1.0.2 server and
        renegotiates with an invalid signature algorithms extension a NULL 
        pointer dereference will occur. This can be exploited in a DoS 
        attack against the server.
        
        CVE-2015-0204: This security issue was previously announced by the 
        OpenSSL project and classified as "low" severity. This severity 
        rating has now been changed to "high".
        
        CVE-2015-0290: OpenSSL 1.0.2 introduced the "multiblock" performance
        improvement. This feature only applies on 64 bit x86 architecture 
        platforms that support AES NI instructions. A defect in the 
        implementation of "multiblock" can cause OpenSSL's internal write 
        buffer to become incorrectly set to NULL when using non-blocking IO.
        Typically, when the user application is using a socket BIO for 
        writing, this will only result in a failed connection. However if 
        some other BIO is used thenit is likely that a segmentation fault 
        will be triggered, thus enabling apotential DoS attack.
        
        CVE-2015-0286: The function ASN1_TYPE_cmp will crash with an invalid
        read if an attempt is made to compare ASN.1 boolean types. Since 
        ASN1_TYPE_cmp is used to check certificate signature algorithm 
        consistency this can be used to crash any certificate verification 
        operation and exploited in a DoS attack. Any application which 
        performs certificate verification is vulnerable including OpenSSL 
        clients and servers which enable client authentication.
        
        CVE-2015-0208: The signature verification routines will crash with a
        NULL pointer dereference if presented with an ASN.1 signature using
        the RSA PSS algorithm and invalid parameters. Since these routines 
        are used to verify certificate signature algorithms this can be used
        to crash any certificate verification operation and exploited in a 
        DoS attack. Any application which performs certificate verification
        is vulnerable including OpenSSL clients and servers which enable 
        client authentication.
        
        CVE-2015-0287: Reusing a structure in ASN.1 parsing may allow an 
        attacker to cause memory corruption via an invalid write. Such reuse
        is and has been strongly discouraged and is believed to be rare.
        
        CVE-2015-0289: The PKCS#7 parsing code does not handle missing outer
        ContentInfo correctly. An attacker can craft malformed ASN.1-encoded
        PKCS#7 blobs with missing content and trigger a NULL pointer 
        dereference on parsing.
        
        CVE-2015-0292: A vulnerability existed in previous versions of 
        OpenSSL related to the processing of base64 encoded data. Any code 
        path that reads base64 data from an untrusted source could be 
        affected (such as the PEM processing routines). Maliciously crafted
        base 64 data could trigger a segmenation fault or memory corruption.
        This was addressed in previous versions of OpenSSL but has not been
        included in any security advisory until now.
        
        CVE-2015-0293: A malicious client can trigger an OPENSSL_assert 
        (i.e., an abort) in servers that both support SSLv2 and enable 
        export cipher suites by sending a specially crafted SSLv2 
        CLIENT-MASTER-KEY message.
        
        CVE-2015-1787: If client auth is used then a server can seg fault in
        the event of a DHE ciphersuite being selected and a zero length 
        ClientKeyExchange message being sent by the client. This could be 
        exploited in a DoS attack.
        
        CVE-2015-0285: Under certain conditions an OpenSSL 1.0.2 client can
        complete a handshake with an unseeded PRNG. If the handshake 
        succeeds then the client random that has been used will have been 
        generated from a PRNG with insufficient entropy and therefore the 
        output may be predictable.
        
        CVE-2015-0209: A malformed EC private key file consumed via the 
        d2i_ECPrivateKey function could cause a use after free condition. 
        This, in turn, could cause a double free in several private key 
        parsing functions (such as d2i_PrivateKey or EVP_PKCS82PKEY) and 
        could lead to a DoS attack or memory corruption for applications 
        that receive EC private keys from untrusted sources. This scenario 
        is considered rare.
        
        CVE-2015-0288: The function X509_to_X509_REQ will crash with a NULL
        pointer dereference if the certificate key is invalid. This function
        is rarely used in practice". [2]
        
        "Secure flag inconsistently set for session cookies with 
        appServerPorts!=0 (SPL-95798)
        
        Description: When using Splunk Web with SSL enabled, the secure flag
        is not consistently set for all URL paths. This vulnerability 
        affects versions of Splunk Enterprise 6.2.x before 6.2.3 and Splunk
        Light before 6.2.3. This vulnerability could lead to leaking session
        cookies over HTTP when a user visits specific URLs.
        
        Cross-site scripting in Search (SPL-95798)
        
        Description: The Splunk Enterprise 6.2.x search functionality 
        contains a cross-site scripting vulnerability. This can be triggered
        by user-interaction or via malicious search data.This vulnerability
        affects versions of Splunk Enterprise 6.2.x before 6.2.3 and Splunk
        Light before 6.2.3. This vulnerability could lead to leaking session
        cookies over HTTP when a user visits a series of attacker controlled
        URLs.
        
        Cross-site scripting in management and configuration (SPL-93516)
        
        Description: Splunk Enterprise 6.2.x before 6.2.3, 6.1.x before 
        6.1.7, 6.0.x before 6.0.8, and 5.0.x before 5.0.12 and Splunk Light
        before 6.2.3 contain a reflected cross-site scripting vulnerability
        in the management and configuration pages. This could allow an 
        attacker to perform actions in the user context via a crafted URL".
        [1]


MITIGATION

        It is recommended that users update to the latest versions of Splunk
        Enterprise and Splunk Light to correct these issues. [1]


REFERENCES

        [1] Splunk Enterprise 6.2.3 and Splunk Light 6.2.3 address five
            vulnerabilities
            http://www.splunk.com/view/SP-CAAANZ7

        [2] penSSL Security Advisory [19 Mar 2015]
            https://openssl.org/news/secadv_20150319.txt

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVUgbTRLndAQH1ShLAQKzyg//U22JXn4u4KX/mkijudfC8DUBaygxkaVf
/PPcDTYrJegUmcJWs/y3+4LjPbzGqFwJAeIgQsQAXNOyJKoe4It1JvWVDJpX4H9Q
cjgBkOeYyOxSsmZp32P5AhptAH7xFRz9IzBW6anvzGfOMU+LoVjpdzKJjVdnYIUm
8BJNfqlLeu8/YrS2Q6gk92DmSo+0uTZOZsAM3cBfGJzmQ/QUjKcNzxLTR8UcQl38
OtgQzI4jGOEHu0qvmwZIzJoXNGdUBeH9KnVfq4hcoRAff9GTzbggbzgvjxE7bygc
LTH489lNwscWheuCEMnTrsAO6LJxneCPU7cVBYu5vJhYcd/FpFTihbuyJY56nkks
G7mIPWm83wrKLRmC2VPakoIFfUHomd39iO192aPJbbVewf9MBshmHAufMnUw09p6
rbKGlBKCFWd2hdYcEPQed3CFKoscEy7t9NW5GADPWW/ABCzABZAISXPk7pHxL5o/
aX2IaUFCHi3yVqNZQQY121+JPWWDL1qA9xcn8+oqX0JrjD0gf1YubkMsJHKK6A0/
GzEb5Jn3LQmuvrLdoaEg8M4CqmwTFeaQVIyhkRVlmuq9hJKT9M1EG4JZcB8IUbr1
ge6PVxnXio+DjbF0NMc1dW/DkND6fGvT5oO4zdRV5ojBmZHWbZl6lqFbyPz6Md02
lLu9Pwvq/Fc=
=8q7C
-----END PGP SIGNATURE-----