Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0113 Splunk Enterprise 6.1.4 and 5.0.10 address four vulnerabilities 2 October 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Splunk Enterprise Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Cross-site Scripting -- Remote with User Interaction Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-3511 Member content until: Saturday, November 1 2014 OVERVIEW A number of vulnerabilities have been identified in Splunk Enterprise versions prior to 6.1.4 and 5.0.10. [1] IMPACT The vendor has provided the following details regarding the vulnerabilities: "OpenSSL TLS protocol downgrade attack (SPL-88585, SPL-88587, SPL-88588, CVE-2014-3511) Description: OpenSSL versions before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i does not properly handle fragmented ClientHello messages. This permits a man-in-the-middle attack to force clients to use TLS 1.0 even when both sides support higher protocol versions. The vulnerability impacts all Splunk communications involving SSL including universal forwarders, heavy forwarders, and Splunk Web. Persistent cross-site scripting (XSS) in Dashboard (SPL-89216) Description: Persistent cross-site scripting (XSS) dashboard vulnerability in Splunk Web in Splunk Enterprise 6.1.x before 6.1.4, 6.0.x before 6.0.6, and 5.0.x before 5.0.10 allows remote attackers to inject arbitrary script. Persistent cross-site scripting (XSS) in Event Parsing (SPL-85579) Description: Persistent cross-site scripting (XSS) event vulnerability in Splunk Web in Splunk Enterprise 6.1.x before 6.1.4 and 6.0.x before 6.0.6. Reflective cross-site scripting (XSS) referer header vulnerability (SPL-85360) Description: Reflective cross-site scripting (XSS) referer header vulnerability in Splunk Web in Splunk Enterprise 5.0.x before 5.0.10 allows remote attackers to inject arbitrary script." [1] MITIGATION It is recommended that users update to the latest versions of Splunk Enterprise to correct these issues. [1] REFERENCES [1] Splunk Enterprise 6.1.4 and 5.0.10 address four vulnerabilities http://www.splunk.com/view/SP-CAAANHS AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVCzUERLndAQH1ShLAQLUyQ/8CSpdEMPaTjMOesnbnL8HqhdjBuE8OVaJ c7Lk/7h/nkJRNln/C3PEPcEUv9nw6hCj7A/An/kmlagWCsZBadkSmbV6kE/p/jnb i6qxdmvo5p8ay43f0zjlMhCB9CGzmJN66f3uyUK9TspTvF5C3RKJM8FEqmgNvO80 lGqWInHYJspyPwAJgH3mb5qvNpRZ7LVItz0R0XIIqC5OfbuNrtrJeKxEVBhaT6iS m+ECAf/MZCQkU4fRUkyYbqWMmqUTd+6k2x56QhHR2ybErUllpzmOSly15YbIw9mc kzEooACET7IH3dDz1WfRcaJYQrrnNhlXbnc/wsKWmagIzh2kNPpr0PAHUtZPKwts XWJ8GGsfMDBFGmQNdkemLkLZe3V2neSlGvX/zssQ65uhM06vX4HlWRR+l3Z7MYrA 60Li+MMFJW7PaNq6JyLi5jV0iQdJUK0kreIKOfuYums3VTdCMGJINJ6mbCraLKsL 5Qg4Hn/+IB4rXfOhHuibuvtMH5+1ibG/GaGhGyPlNqPNKFP8jbWZjMTfwoVgFdg7 B/7Cg7yeFDq5k+A0R0fUGI4A8XHOfNUGKsxbM6fSImnXVtf9S1pEXe3Ric49o0d4 1yS6pJpwrpGNFSz7v7UuHs88WnwgmCwvBuamjxkidkboM9cmgvKm2rwET7GkDEzo vgIPaMhEKvk= =YbMz -----END PGP SIGNATURE-----