Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.2961 Splunk Enterprise security update 16 June 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Splunk Enterprise Publisher: Splunk Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2022-32158 CVE-2022-32157 Original Bulletin: https://www.splunk.com/en_us/product-security/announcements/svd-2022-0608.html https://www.splunk.com/en_us/product-security/announcements/svd-2022-0607.html Comment: CVSS (Max): 9.0 CVE-2022-32158 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) CVSS Source: Splunk Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H This bulletin contains two (2) Splunk security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Splunk Enterprise deployment servers allow client publishing of forwarder bundles CVE ID: CVE-2022-32158 Advisory ID: SVD-2022-0608 Last Update: 2022-06-14 Published: 2022-06-14 CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/ CVSSv3.1 Score: 9.0, Critical S:C/C:H/I:H/A:H CWE: CWE-284 Bug ID: SPL-176829 CSAF: 2022-06-14-svd-2022-0608 Security Content: Splunk Process Injection Forwarder Bundle Downloads Description Splunk Enterprise deployment servers in versions before 9.0 let clients deploy forwarder bundles to other deployment clients through the deployment server. An attacker that compromised a Universal Forwarder endpoint could use the vulnerability to execute arbitrary code on all other Universal Forwarder endpoints subscribed to the deployment server. The Splunk Cloud Platform (SCP) does not offer or use deployment servers and is not affected by the vulnerability. For SCP customers that run deployment servers, upgrade to version 9.0 or higher. At the time of publishing, we have no evidence of exploitation of this vulnerability by external parties. Solution Upgrade Splunk Enterprise deployment servers to version 9.0 or higher Product Status Product Affected Versions Splunk Enterprise Versions before 9.0 Acknowledgments Nadim Taha at Splunk Changelog 2022-06-14: Changed Solution from "Upgrade Splunk Enterprise deployment servers to version 9.0 or higher, upgrade Universal Forwarders to version 9.0 or higher, and Configure authentication for deployment servers and clients." to "Upgrade Splunk Enterprise deployment servers to version 9.0 or higher". Remediation only requires updating the Splunk Enterprise deployment servers to 9.0. Updating the Universal Forwarders does not remediate or mitigate CVE-2022-32158. - ------------------------------------------------------------------------ Splunk Enterprise deployment servers allow unauthenticated forwarder bundle downloads CVE ID: CVE-2022-32157 Advisory ID: SVD-2022-0607 Last Update: 2022-06-14 Published: 2022-06-14 CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/ CVSSv3.1 Score: 7.5, High S:U/C:H/I:N/A:N CWE: CWE-306 Bug ID: SPL-176828 CSAF: 2022-06-14-svd-2022-0607 Security Content: Splunk Process Injection Forwarder Bundle Downloads Description Splunk Enterprise deployment servers in versions before 9.0 allow unauthenticated downloading of forwarder bundles. Remediation requires you to update the deployment server to version 9.0 and Configure authentication for deployment servers and clients. Once enabled, deployment servers can manage only universal forwarder versions 9.0 and later. Though the vulnerability does not directly affect Universal Forwarders, remediation requires updating all Universal Forwarders that the deployment server manages to version 9.0 or higher prior to enabling the remediation. The Splunk Cloud Platform (SCP) does not offer or use deployment servers and is not affected by the vulnerability. For SCP customers that run deployment servers, upgrade to version 9.0 or higher. At the time of publishing, we have no evidence of exploitation of this vulnerability by external parties. Solution Upgrade Splunk Enterprise deployment servers to version 9.0 or higher, upgrade Universal Forwarders to version 9.0 or higher, and Configure authentication for deployment servers and clients. Product Status Product Affected Versions Splunk Enterprise Versions before 9.0 Acknowledgments Nadim Taha at Splunk - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYqqyVMkNZI30y1K9AQgSqA//RICmG/p4arsPMQza8otdNYPQPYHOtAIL 8A5LrMVlewCtMe9bgT9QYLhBlqb+SUorrECsKJ4dehhGYcK6+aSbt2PARRa5UpxQ 6fzDh1wGOje+mwVyOSvFOB2jGitaB0A8mK2oCqNZ04ebyyMH0L5PjMvssUgQn/f9 p2FBrk/QOpHlEOinaapNhWNv8G1LfDnSi1hHMSDF6mcOHAKY4aMy4rDOPDAcpe/G 7QVvvVZLcxejeEUsudFafcltjx8Dqe/EpQqYbRkw5cyNxZoW6SlwuF/WG6i0ng24 334wlmMcPsMavQ7qQSrOhUWl7/D6F94y9/pP+GZkdKE1cvIps1QdQrS0ozwrRpbM 89Hd1VnQJTPIJ8a6eqkyTmpMVg6V+Ifo5LhSAgwufMXwxgeYRNiYfRZSJIRTb99U +j6sQ3YUk4/5+FYRx4FKtake6z6WeemTt8YwEXg2J40ZCeIEuMed1Rv6pLiP+k2J r9rZULl7dBMLrOwo7XeMcH0r05jb3f8efPK0lhbAuSxuABK1UmtcsTRH9sTX8SAP ZU16/lI7tRCVuWiIwVhPsqmZA69jRb7Pv+ExIE6UAgkj+z4bsM6jB7UfRKu9d/rX gQMG1uaro1R7/hMTYa94YvRPpz4+jMcOLwMDfpv3iye059rxnYP9sALiKij4Cdzq S7zclffr6YA= =dyHu -----END PGP SIGNATURE-----