Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0895 SVD-2023-0213: Modular Input REST API Requests Connect via HTTP after Certificate Validation Failure in Splunk Add-on Builder and Splunk CloudConnect SDK 15 February 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Splunk Add-on Builder Splunk CloudConnect SDK Publisher: Splunk Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2023-22943 Original Bulletin: https://advisory.splunk.com//advisories/SVD-2023-0213 Comment: CVSS (Max): 4.8 CVE-2023-22943 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) CVSS Source: Splunk Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- Modular Input REST API Requests Connect via HTTP after Certificate Validation Failure in Splunk Add-on Builder and Splunk CloudConnect SDK Advisory ID: SVD-2023-0213 CVE ID: CVE-2023-22943 Published: 2023-02-14 Last Update: 2023-02-14 CVSSv3.1 Score: 4.8, Medium CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CWE: CWE-636 Bug ID: ADDON-58725 Description In Splunk Add-on Builder (AoB) versions below 4.1.2 and the Splunk CloudConnect SDK versions below 3.1.3, requests to third-party APIs through the REST API Modular Input incorrectly revert to using HTTP to connect after a failure to connect over HTTPS occurs. The vulnerability affects AoB and apps that AoB generates when using the REST API Modular Input functionality through its user interface. The vulnerability also potentially affects third-party apps and add-ons that call cloudconnectlib.splunktacollectorlib.cloud_connect_mod_input directly. Solution For third-party apps and add-ons that include the Splunk CloudConnect SDK, upgrade the library to 3.1.3 or higher. For customers that use AoB for custom apps, perform the following steps to update your app or add-on: 1. Upgrade AoB to version 4.1.2 or higher. See Install the Add-on Builder User Guide for more information. 2. Use AoB to edit and save the affected app. See Configure data collection using a REST API call for more information. It isn't necessary to make changes to the app prior to saving it. 3. Restart Splunk Enterprise. If the custom app or add-on is also installed on instances without AoB, you must package the upgraded custom app or add-on, then install it on the instances. See Validate and Package and Package apps for more information. For affected apps and add-ons that are already on SplunkBase, third-party developers must publish an updated version of the app or add-on to SplunkBase. For more information, see Publish apps for Splunk Cloud Platform or Splunk Enterprise to Splunkbase . Cloud-vetted apps are subject to the Cloud Vetting Change Policy . Note: If the REST API Modular Input connects to a self-signed URL, that connection will fail. Where applicable, use a certificate authority (CA)-signed certificate for your app or add-on. As an alternative, to fix this error on apps and add-ons that are not on SplunkBase, overwrite the certificate at $SPLUNK_HOME/etc/apps/<ta_name>/bin/<ta_name>/aob_py3/certifi/cacert.pem with the self-signed certificate. You cannot overwrite this certificate on apps or add-ons that you publish to SplunkBase. Product Status Product Version Component Affected Version Fix Version Splunk Add-on Builder 4.1 cloudconnectlib 4.1.1 and lower 4.1.2 Splunk CloudConnect SDK 3.1 - 3.1.2 and lower 3.1.3 Mitigations and Workarounds As an alternative to updating your custom app, if the app does not use the REST API Modular Input functionality, delete the affected file at $SPLUNK_HOME/etc/ apps/<ta_name>/bin/<ta_name>/aob_py3/cloudconnectlib/core/http.py . If the app uses the functionality, update the file or patch it with the file changes that appear in this pull request on the Splunk GitHub site. Detections None Severity Splunk rated the vulnerability as Medium, 4.8, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N. The impact of the vulnerability might vary for each app or add-on. Where applicable, review your app or add-on and rate its vulnerability based on whether it uses the vulnerable functionality and what data the modular input sends or receives. Acknowledgments Chris Green - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY+xszskNZI30y1K9AQg1BxAApmsfG/3ucbb5vGccJq6+OldsPceiGOco sLzTOo7xOrNyQ0ozjnhLpF2A5kcDtxlLaURAq1mlueazf/7oWS2Ohp8AGIrEXElZ 3fQicFnCNolqYYE7ukXZp7knHrTnDrXAxbwc/W9Zohq/+7Ea7jEA1KlF68P65SWG GULCBlHvUr2T91nFitUvtc7QmeS/FTgyDdfy4gPd7lM9tWVjVIZgIpqDQGOxlMXE xCeSnxh5JaGOFd9NpPPXcPVYPpVYgCRFUEsrED+sLYs+ERJfBZQ0NbLDRQtgAvub 7MtQQScxBXy2S0Bh+XmXlCla1mhOFqhtL/vd6iyuq/5b9PfrHDIFgn6LmCPA0lPD OrWymABe3+UiAFzBskSN4UWbvKkfK7izlBxfAjMCRSkYOVPlXUvgxQSazITOL3pM enIdMMysbwzBvLXIWAv5YrLoegbhFXFm+VNieduAgRtq1hrprvEWFNKx+H1/I7EC IkJgsotKAMzbNEB8sfVjHBLCKoD8MVvLz0ULmj3dXxEc1l95qWUmKu2HmBOpfOAq xtspAf7klHNQeQ2m0S5ww9eqdVmZJzj+Vady3EEjEh2xML+9iCnKRQKzYZd0LG7J KaO15mwhov3Kx+bvrjDyStmwK3qzbQYJpo0S0GOw1xXD3Xj7xFH8/ohXgQvma+Bk xqcNcwYEDqY= =KGrO -----END PGP SIGNATURE-----