Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0894 SVD-2023-0207: Unnecessary File Extensions Allowed by Lookup Table Uploads in Splunk Enterprise 15 February 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Splunk Enterprise Splunk Cloud Platform Publisher: Splunk Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2023-22937 Original Bulletin: https://advisory.splunk.com//advisories/SVD-2023-0207 Comment: CVSS (Max): 4.3 CVE-2023-22937 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) CVSS Source: Splunk Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- Unnecessary File Extensions Allowed by Lookup Table Uploads in Splunk Enterprise Advisory ID: SVD-2023-0207 CVE ID: CVE-2023-22937 Published: 2023-02-14 Last Update: 2023-02-14 CVSSv3.1 Score: 4.3, Medium CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CWE: CWE-20 Bug ID: SPL-229185 Description In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table upload feature let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now be one of the following only: .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gzl. For more information on lookup table files, see About lookups . Solution For Splunk Enterprise, upgrade versions to 8.1.13, 8.2.10, 9.0.4, or higher. For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances. Product Status Product Version Component Affected Version Fix Version Splunk Enterprise 8.1 Splunk Web 8.1.12 and lower 8.1.13 Splunk Enterprise 8.2 Splunk Web 8.2.0 to 8.2.9 8.2.10 Splunk Enterprise 9.0 Splunk Web 9.0.0 to 9.0.3 9.0.4 Splunk Cloud Platform - Splunk Web 9.2.2209 and lower 9.2.2209.3 Mitigations and Workarounds This vulnerability requires a user to hold a role with the 'upload_lookup_files' capability to exploit. An administrator can remove this role from user accounts to mitigate the vulnerability. For additional information on Splunk roles, refer to Define roles on the Splunk platform with capabilities . Detections o Splunk unnecessary file extensions allowed by lookup table uploads This search provides assistance in identifying lookup file uploads with non-standard extensions. Severity Splunk rated the vulnerability as Medium, 4.3, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY+xsIMkNZI30y1K9AQiP/A/+MtVBXdydS+8xBk3rmdfUUH/SaMeAJSZI 6g7VofMgwOhppHJJt1y65cr1ot4zH50evkcUAwG/f0x2XeyM83e7oQnKQC4qTpTg v77owNX58G8sre+I0LZuJ2GnV13GWPf1DBCd4gi45FG6nOJyVD2Nmns2lAEtgCoo 1JQsndm/vqWAUhoQnH/seXaIUUVJCz2S/+mj8F5ZfeuBklolgIpR9InKtM6xRThf hVANJtIPKxfcq+x6JvdcY5IPp6eXwKn0xD8yGk22kgdEIosK60F+P6YN7Ip3p9Mw mvU3HUFphwoOvOqL5mQaU7/7ILMMlc/ImncCMkKK+Zvhlrk+gY3JC2Z4Hbo590xv PhT7FwzTZFu920EiOMeW0m6UtLztw8Pu1VVuwEh8XyM0Es7QoYKrgI37tnvHtZV/ JkcHp+UU4mlrDKv7WG3J1maBqyUO9DCScxXErb4UAtU0U7wtTue3VCeV8n+p/es+ j5di9pcDfBtSsJSz7JPmVyQMOeV0qGJbicOrJyussBu9zrQHDCi6GtdeDaaZQWEw nnB7eLlS13QwaPWML2D3pbahf1bzLSt6piI3njjssq9Dwylm7oP/UWs1zIuLfRru viIPF1TtpEzVJm/OlapvIMj+IrhIgAupnQWWJwVXLcX3kN3OX/uHTf9cE//ZGrYm RwQKwiJJN7c= =iYCE -----END PGP SIGNATURE-----