Operating System:

[WIN][UNIX/Linux]

Published:

02 October 2014

Protect yourself against future threats.

//Service

Malicious URL Feed

Add this Australian-based feed to your firewall blacklist and SIEM to prevent compromises to your network.

Read more
Resources > Security Bulletins > ASB-2014.0113 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2014.0113
      Splunk Enterprise 6.1.4 and 5.0.10 address four vulnerabilities
                              2 October 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Splunk Enterprise
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Cross-site Scripting -- Remote with User Interaction
                      Reduced Security     -- Remote/Unauthenticated      
Resolution:           Patch/Upgrade
CVE Names:            CVE-2014-3511  
Member content until: Saturday, November  1 2014

OVERVIEW

        A number of vulnerabilities have been identified in Splunk 
        Enterprise versions prior to 6.1.4 and 5.0.10. [1]


IMPACT

        The vendor has provided the following details regarding the 
        vulnerabilities:
        
        "OpenSSL TLS protocol downgrade attack (SPL-88585, SPL-88587, 
        SPL-88588, CVE-2014-3511) 
        
        Description: 
        
        OpenSSL versions before 0.9.8zb, 1.0.0 before 1.0.0n, 
        and 1.0.1 before 1.0.1i does not properly handle fragmented ClientHello 
        messages. This permits a man-in-the-middle attack to force clients to use 
        TLS 1.0 even when both sides support higher protocol versions. The 
        vulnerability impacts all Splunk communications involving SSL including 
        universal forwarders, heavy forwarders, and Splunk Web.
        
        
        Persistent cross-site scripting (XSS) in Dashboard (SPL-89216) 
        
        Description: 
        
        Persistent cross-site scripting (XSS) dashboard 
        vulnerability in Splunk Web in Splunk Enterprise 6.1.x before 6.1.4,
        6.0.x before 6.0.6, and 5.0.x before 5.0.10 allows remote attackers
        to inject arbitrary script.
        
        Persistent cross-site scripting (XSS) in Event Parsing (SPL-85579) 
        
        Description: 
        
        Persistent cross-site scripting (XSS) event 
        vulnerability in Splunk Web in Splunk Enterprise 6.1.x before 6.1.4
        and 6.0.x before 6.0.6.
        
        Reflective cross-site scripting (XSS) referer header vulnerability 
        (SPL-85360) 
        
        Description: 
        
        Reflective cross-site scripting (XSS) 
        referer header vulnerability in Splunk Web in Splunk Enterprise 
        5.0.x before 5.0.10 allows remote attackers to inject arbitrary 
        script." [1]


MITIGATION

        It is recommended that users update to the latest versions of Splunk
        Enterprise to correct these issues. [1]


REFERENCES

        [1] Splunk Enterprise 6.1.4 and 5.0.10 address four vulnerabilities
            http://www.splunk.com/view/SP-CAAANHS

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVCzUERLndAQH1ShLAQLUyQ/8CSpdEMPaTjMOesnbnL8HqhdjBuE8OVaJ
c7Lk/7h/nkJRNln/C3PEPcEUv9nw6hCj7A/An/kmlagWCsZBadkSmbV6kE/p/jnb
i6qxdmvo5p8ay43f0zjlMhCB9CGzmJN66f3uyUK9TspTvF5C3RKJM8FEqmgNvO80
lGqWInHYJspyPwAJgH3mb5qvNpRZ7LVItz0R0XIIqC5OfbuNrtrJeKxEVBhaT6iS
m+ECAf/MZCQkU4fRUkyYbqWMmqUTd+6k2x56QhHR2ybErUllpzmOSly15YbIw9mc
kzEooACET7IH3dDz1WfRcaJYQrrnNhlXbnc/wsKWmagIzh2kNPpr0PAHUtZPKwts
XWJ8GGsfMDBFGmQNdkemLkLZe3V2neSlGvX/zssQ65uhM06vX4HlWRR+l3Z7MYrA
60Li+MMFJW7PaNq6JyLi5jV0iQdJUK0kreIKOfuYums3VTdCMGJINJ6mbCraLKsL
5Qg4Hn/+IB4rXfOhHuibuvtMH5+1ibG/GaGhGyPlNqPNKFP8jbWZjMTfwoVgFdg7
B/7Cg7yeFDq5k+A0R0fUGI4A8XHOfNUGKsxbM6fSImnXVtf9S1pEXe3Ric49o0d4
1yS6pJpwrpGNFSz7v7UuHs88WnwgmCwvBuamjxkidkboM9cmgvKm2rwET7GkDEzo
vgIPaMhEKvk=
=YbMz
-----END PGP SIGNATURE-----