Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.0895
SVD-2023-0213: Modular Input REST API Requests Connect via HTTP after
Certificate Validation Failure in Splunk Add-on Builder and
Splunk CloudConnect SDK
15 February 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Splunk Add-on Builder
Splunk CloudConnect SDK
Publisher: Splunk
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Resolution: Patch/Upgrade
CVE Names: CVE-2023-22943
Original Bulletin:
https://advisory.splunk.com//advisories/SVD-2023-0213
Comment: CVSS (Max): 4.8 CVE-2023-22943 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVSS Source: Splunk
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
Modular Input REST API Requests Connect via HTTP after Certificate Validation
Failure in Splunk Add-on Builder and Splunk CloudConnect SDK
Advisory ID: SVD-2023-0213
CVE ID: CVE-2023-22943
Published: 2023-02-14
Last Update: 2023-02-14
CVSSv3.1 Score: 4.8, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE: CWE-636
Bug ID: ADDON-58725
Description
In Splunk Add-on Builder (AoB) versions below 4.1.2 and the Splunk CloudConnect
SDK versions below 3.1.3, requests to third-party APIs through the REST API
Modular Input incorrectly revert to using HTTP to connect after a failure to
connect over HTTPS occurs. The vulnerability affects AoB and apps that AoB
generates when using the REST API Modular Input functionality through its user
interface. The vulnerability also potentially affects third-party apps and
add-ons that call cloudconnectlib.splunktacollectorlib.cloud_connect_mod_input
directly.
Solution
For third-party apps and add-ons that include the Splunk CloudConnect SDK,
upgrade the library to 3.1.3 or higher.
For customers that use AoB for custom apps, perform the following steps to
update your app or add-on:
1. Upgrade AoB to version 4.1.2 or higher. See Install the Add-on Builder User
Guide for more information.
2. Use AoB to edit and save the affected app. See Configure data collection
using a REST API call for more information. It isn't necessary to make
changes to the app prior to saving it.
3. Restart Splunk Enterprise.
If the custom app or add-on is also installed on instances without AoB, you
must package the upgraded custom app or add-on, then install it on the
instances. See Validate and Package and Package apps for more information.
For affected apps and add-ons that are already on SplunkBase, third-party
developers must publish an updated version of the app or add-on to SplunkBase.
For more information, see Publish apps for Splunk Cloud Platform or Splunk
Enterprise to Splunkbase . Cloud-vetted apps are subject to the Cloud Vetting
Change Policy .
Note: If the REST API Modular Input connects to a self-signed URL, that
connection will fail. Where applicable, use a certificate authority (CA)-signed
certificate for your app or add-on. As an alternative, to fix this error on
apps and add-ons that are not on SplunkBase, overwrite the certificate at
$SPLUNK_HOME/etc/apps/<ta_name>/bin/<ta_name>/aob_py3/certifi/cacert.pem with
the self-signed certificate. You cannot overwrite this certificate on apps or
add-ons that you publish to SplunkBase.
Product Status
Product Version Component Affected Version Fix Version
Splunk Add-on Builder 4.1 cloudconnectlib 4.1.1 and lower 4.1.2
Splunk CloudConnect SDK 3.1 - 3.1.2 and lower 3.1.3
Mitigations and Workarounds
As an alternative to updating your custom app, if the app does not use the REST
API Modular Input functionality, delete the affected file at $SPLUNK_HOME/etc/
apps/<ta_name>/bin/<ta_name>/aob_py3/cloudconnectlib/core/http.py . If the app
uses the functionality, update the file or patch it with the file changes that
appear in this pull request on the Splunk GitHub site.
Detections
None
Severity
Splunk rated the vulnerability as Medium, 4.8, with a CVSSv3.1 vector of
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N. The impact of the vulnerability
might vary for each app or add-on. Where applicable, review your app or add-on
and rate its vulnerability based on whether it uses the vulnerable
functionality and what data the modular input sends or receives.
Acknowledgments
Chris Green
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY+xszskNZI30y1K9AQg1BxAApmsfG/3ucbb5vGccJq6+OldsPceiGOco
sLzTOo7xOrNyQ0ozjnhLpF2A5kcDtxlLaURAq1mlueazf/7oWS2Ohp8AGIrEXElZ
3fQicFnCNolqYYE7ukXZp7knHrTnDrXAxbwc/W9Zohq/+7Ea7jEA1KlF68P65SWG
GULCBlHvUr2T91nFitUvtc7QmeS/FTgyDdfy4gPd7lM9tWVjVIZgIpqDQGOxlMXE
xCeSnxh5JaGOFd9NpPPXcPVYPpVYgCRFUEsrED+sLYs+ERJfBZQ0NbLDRQtgAvub
7MtQQScxBXy2S0Bh+XmXlCla1mhOFqhtL/vd6iyuq/5b9PfrHDIFgn6LmCPA0lPD
OrWymABe3+UiAFzBskSN4UWbvKkfK7izlBxfAjMCRSkYOVPlXUvgxQSazITOL3pM
enIdMMysbwzBvLXIWAv5YrLoegbhFXFm+VNieduAgRtq1hrprvEWFNKx+H1/I7EC
IkJgsotKAMzbNEB8sfVjHBLCKoD8MVvLz0ULmj3dXxEc1l95qWUmKu2HmBOpfOAq
xtspAf7klHNQeQ2m0S5ww9eqdVmZJzj+Vady3EEjEh2xML+9iCnKRQKzYZd0LG7J
KaO15mwhov3Kx+bvrjDyStmwK3qzbQYJpo0S0GOw1xXD3Xj7xFH8/ohXgQvma+Bk
xqcNcwYEDqY=
=KGrO
-----END PGP SIGNATURE-----