Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.4077 Ingest Actions UI in Splunk Enterprise 9.0.0 disabled TLS certificate validation 17 August 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Splunk Enterprise Publisher: Splunk Operating System: UNIX variants (UNIX, Linux, OSX) Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-37437 Original Bulletin: https://www.splunk.com/en_us/product-security/announcements/svd-2022-0801.html Comment: CVSS (Max): 7.4 CVE-2022-37437 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) CVSS Source: Splunk Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- Splunk / Product Security / SVD-2022-0801 Ingest Actions UI in Splunk Enterprise 9.0.0 disabled TLS certificate validation Advisory ID: SVD-2022-0801 Published: 2022-08-16 Last Update: 2022-08-16 CVE ID: CVE-2022-37437 CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSSv3.1 Score: 7.4, High Bug ID: SPL-224209 CWE: CWE-295 Description When using Ingest Actions to configure a destination that resides on Amazon Simple Storage Service (S3) in Splunk Web, TLS certificate validation is not correctly performed and tested for the destination. The vulnerability only affects connections between Splunk Enterprise and an Ingest Actions Destination through Splunk Web and only applies to environments that have configured TLS certificate validation . It does not apply to Destinations configured directly in the outputs.conf configuration file. The vulnerability affects Splunk Enterprise version 9.0.0 and does not affect versions below 9.0.0, including the 8.1.x and 8.2.x versions. Solution For Splunk Enterprise customers that use Ingest Actions , in particular to create or test new destinations, and have configured TLS certificate validation , upgrade Splunk Enterprise 9.0.0 to 9.0.1 or higher. Product Status Product Version Component Affected Version Fixed Version Splunk Enterprise 8.1 - Not affected - Splunk Enterprise 8.2 - Not affected - Splunk Enterprise 9.0 Ingest Actions 9.0.0 9.0.1 Mitigations and Workarounds In 9.0.0, you can enable TLS certification validation for previously created destinations by adding the following to the "[rfs:s3]" destination stanza in outputs.conf: [rfs:s3] # existing settings remote.s3.sslVerifyServerCert=true remote.s3.sslVerifyServerName=true remote.s3.sslRootCaPath=<path to SSL CA cert chain> This mirrors what was configured for enabling TLS certificate validation , but in the outputs.conf/[rfs:s3] stanza as opposed to server.conf/[sslConfig]. Restart Splunk Enterprise after making these changes. Severity If the environment has not configured a Destination in the Ingest Actions component via the user interface, there is no impact, and the vulnerability is Informational. If the environment has not configured TLS certificate validation , there is no impact and the vulnerability is Informational. If the environment has configured both, Splunk rates the severity as High, 7.4 with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N. Acknowledgments Eric LaMothe at Splunk Ali Mirheidari at Splunk - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYvxpGckNZI30y1K9AQhHvg//UXAPgUWXNZq3My/mmxzV4sBkU1tIinIw LAaMDOI5J4BkDyfV82eJ+7oaZULhVQigdabmdAGxnpeisU+qhbN43pxvxRtwNyxo sqlCkYC/uCvabWcJVfss3w8kFznBg+nXgBdq95ufL+sTRtNTiotvN7UbgiwAc9Sd 8RJVOfSDj+fELwy1S68LTK2slM+faz3YlXHbhAHm/mdQtlvyp8dUHvnOr1BLM1TN tb2kHLrYqLmupLQvY8NCmGyVEC2pJNUPCUlF2z5vKkMmPaAN1a0ybL0kF61wEgfy aeGjHMfxmGHrrNpH/wgeHwAlYwRgmrDY63bQK1xKEVs77zBpG6D8BJq+wC006QDC UuD/s/HhzPhheSvn08BgRB2LrkY8c6DEd3oWRMNJH68CYjWNlzgwn1+j3Ceocb3B HpzIUdWsb3ynt8bOTTALyT3baFw1YcKyKAwsrglyb87SpmUg/dc/GTSzXAFq2ISO ldcSE68XTOA6yHKco+zgFgxJYXjbLh3H/NPC2OJcYJt7c3OkfJKIBgm1nrgaQDVY I1VhWMcD/96eHRxlL2Hc0qlKJ2jcQYRDKJeen2b73PdcfMshvoc/jrdCNeJi6PLO kynNkRq+glI+6LyP1x8lx13ZnVx81/yATNVtGYu6lhLEZHJq5s5UBx6umNBWGRuZ /MN5tCB/Tfk= =Qr30 -----END PGP SIGNATURE-----