Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.2961
Splunk Enterprise security update
16 June 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Splunk Enterprise
Publisher: Splunk
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Resolution: Patch/Upgrade
CVE Names: CVE-2022-32158 CVE-2022-32157
Original Bulletin:
https://www.splunk.com/en_us/product-security/announcements/svd-2022-0608.html
https://www.splunk.com/en_us/product-security/announcements/svd-2022-0607.html
Comment: CVSS (Max): 9.0 CVE-2022-32158 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVSS Source: Splunk
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
This bulletin contains two (2) Splunk security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Splunk Enterprise deployment servers allow client publishing of forwarder
bundles
CVE ID: CVE-2022-32158
Advisory ID: SVD-2022-0608
Last Update: 2022-06-14
Published: 2022-06-14
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/
CVSSv3.1 Score: 9.0, Critical S:C/C:H/I:H/A:H
CWE: CWE-284 Bug ID: SPL-176829
CSAF: 2022-06-14-svd-2022-0608 Security Content: Splunk Process Injection
Forwarder Bundle Downloads
Description
Splunk Enterprise deployment servers in versions before 9.0 let clients deploy
forwarder bundles to other deployment clients through the deployment server. An
attacker that compromised a Universal Forwarder endpoint could use the
vulnerability to execute arbitrary code on all other Universal Forwarder
endpoints subscribed to the deployment server.
The Splunk Cloud Platform (SCP) does not offer or use deployment servers and is
not affected by the vulnerability. For SCP customers that run deployment
servers, upgrade to version 9.0 or higher. At the time of publishing, we have
no evidence of exploitation of this vulnerability by external parties.
Solution
Upgrade Splunk Enterprise deployment servers to version 9.0 or higher
Product Status
Product Affected Versions
Splunk Enterprise Versions before 9.0
Acknowledgments
Nadim Taha at Splunk
Changelog
2022-06-14: Changed Solution from "Upgrade Splunk Enterprise deployment servers
to version 9.0 or higher, upgrade Universal Forwarders to version 9.0 or
higher, and Configure authentication for deployment servers and clients." to
"Upgrade Splunk Enterprise deployment servers to version 9.0 or higher".
Remediation only requires updating the Splunk Enterprise deployment servers to
9.0. Updating the Universal Forwarders does not remediate or mitigate
CVE-2022-32158.
- ------------------------------------------------------------------------
Splunk Enterprise deployment servers allow unauthenticated forwarder bundle
downloads
CVE ID: CVE-2022-32157
Advisory ID: SVD-2022-0607
Last Update: 2022-06-14
Published: 2022-06-14
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/
CVSSv3.1 Score: 7.5, High S:U/C:H/I:N/A:N
CWE: CWE-306 Bug ID: SPL-176828
CSAF: 2022-06-14-svd-2022-0607 Security Content: Splunk Process Injection
Forwarder Bundle Downloads
Description
Splunk Enterprise deployment servers in versions before 9.0 allow
unauthenticated downloading of forwarder bundles. Remediation requires you to
update the deployment server to version 9.0 and Configure authentication for
deployment servers and clients. Once enabled, deployment servers can manage
only universal forwarder versions 9.0 and later. Though the vulnerability does
not directly affect Universal Forwarders, remediation requires updating all
Universal Forwarders that the deployment server manages to version 9.0 or
higher prior to enabling the remediation.
The Splunk Cloud Platform (SCP) does not offer or use deployment servers and is
not affected by the vulnerability. For SCP customers that run deployment
servers, upgrade to version 9.0 or higher. At the time of publishing, we have
no evidence of exploitation of this vulnerability by external parties.
Solution
Upgrade Splunk Enterprise deployment servers to version 9.0 or higher, upgrade
Universal Forwarders to version 9.0 or higher, and Configure authentication for
deployment servers and clients.
Product Status
Product Affected Versions
Splunk Enterprise Versions before 9.0
Acknowledgments
Nadim Taha at Splunk
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBYqqyVMkNZI30y1K9AQgSqA//RICmG/p4arsPMQza8otdNYPQPYHOtAIL
8A5LrMVlewCtMe9bgT9QYLhBlqb+SUorrECsKJ4dehhGYcK6+aSbt2PARRa5UpxQ
6fzDh1wGOje+mwVyOSvFOB2jGitaB0A8mK2oCqNZ04ebyyMH0L5PjMvssUgQn/f9
p2FBrk/QOpHlEOinaapNhWNv8G1LfDnSi1hHMSDF6mcOHAKY4aMy4rDOPDAcpe/G
7QVvvVZLcxejeEUsudFafcltjx8Dqe/EpQqYbRkw5cyNxZoW6SlwuF/WG6i0ng24
334wlmMcPsMavQ7qQSrOhUWl7/D6F94y9/pP+GZkdKE1cvIps1QdQrS0ozwrRpbM
89Hd1VnQJTPIJ8a6eqkyTmpMVg6V+Ifo5LhSAgwufMXwxgeYRNiYfRZSJIRTb99U
+j6sQ3YUk4/5+FYRx4FKtake6z6WeemTt8YwEXg2J40ZCeIEuMed1Rv6pLiP+k2J
r9rZULl7dBMLrOwo7XeMcH0r05jb3f8efPK0lhbAuSxuABK1UmtcsTRH9sTX8SAP
ZU16/lI7tRCVuWiIwVhPsqmZA69jRb7Pv+ExIE6UAgkj+z4bsM6jB7UfRKu9d/rX
gQMG1uaro1R7/hMTYa94YvRPpz4+jMcOLwMDfpv3iye059rxnYP9sALiKij4Cdzq
S7zclffr6YA=
=dyHu
-----END PGP SIGNATURE-----