Splunk Releases Security Updates for Multiple Products

Thirteen advisories address five High and eight Medium impact vulnerabilities for Splunk Enterprise, Splunk Cloud Platform, Splunk CloudConnect SDK, and Splunk Add-on Builder

Threat ID:: CC-4267
Threat Severity:: Information only
Published:: 17 February 2023 3:27 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Thirteen advisories address five High and eight Medium impact vulnerabilities for Splunk Enterprise, Splunk Cloud Platform, Splunk CloudConnect SDK, and Splunk Add-on Builder

Affected platforms

The following platforms are known to be affected:

Versions: 8.1.12 and earlier, 8.2.9 and earlier, 9.0.3 and earlier

Splunk Enterprise

Versions: 9.0.2209 and earlier

Splunk Cloud Platform

Versions: 4.1.1 and earlier

Splunk Add-on Builder

The following platforms are also known to be affected:

Splunk CloudConnect SDK - 3.1.2 and earlier

Threat details

Introduction

Thirteen advisories address five High and eight Medium impact vulnerabilities in multiple products.

The High vulnerabilities are related to cross-site scripting or allowing searches to bypass search processing language safeguards for risky commands. An attacker could exploit some of these vulnerabilities to take control of a system.

Remediation advice

Affected organisations are encouraged to review the following Splunk Security Advisories for more information.

Remediation steps

Type	Step
Patch	Modular Input REST API Requests Connect via HTTP after Certificate Validation Failure in Splunk Add-on Builder and Splunk CloudConnect SDK \| SVD-2023-0213 https://advisory.splunk.com/advisories/SVD-2023-0213
Patch	Cross-Site Request Forgery in the ‘ssg/kvstore_client’ REST Endpoint in Splunk Enterprise \| SVD-2023-0212 https://advisory.splunk.com/advisories/SVD-2023-0212
Patch	Improperly Formatted ‘INGEST_EVAL’ Parameter Crashes Splunk Daemon \| SVD-2023-0211 https://advisory.splunk.com/advisories/SVD-2023-0211
Patch	SPL Command Safeguards Bypass via the ‘collect’ SPL Command Aliases in Splunk Enterprise \| SVD-2023-0210 https://advisory.splunk.com/advisories/SVD-2023-0210
Patch	SPL Command Safeguards Bypass via the ‘map’ SPL Command in Splunk Enterprise \| SVD-2023-0209 https://advisory.splunk.com/advisories/SVD-2023-0209
Patch	Permissions Validation Failure in the ‘sendemail’ REST API Endpoint in Splunk Enterprise \| SVD-2023-0208 https://advisory.splunk.com/advisories/SVD-2023-0208
Patch	Unnecessary File Extensions Allowed by Lookup Table Uploads in Splunk Enterprise \| SVD-2023-0207 https://advisory.splunk.com/advisories/SVD-2023-0207
Patch	Authenticated Blind Server Side Request Forgery via the ‘search_listener’ Search Parameter in Splunk Enterprise \| SVD-2023-0206 https://advisory.splunk.com/advisories/SVD-2023-0206
Patch	SPL Command Safeguards Bypass via the ‘display.page.search.patterns.sensitivity’ Search Parameter in Splunk Enterprise \| SVD-2023-0205 https://advisory.splunk.com/advisories/SVD-2023-0205
Patch	SPL Command Safeguards Bypass via the ‘pivot’ SPL Command in Splunk Enterprise \| SVD-2023-0204 https://advisory.splunk.com/advisories/SVD-2023-0204
Patch	Persistent Cross-Site Scripting through the ‘module’ Tag in a View in Splunk Enterprise \| SVD-2023-0203 https://advisory.splunk.com/advisories/SVD-2023-0203
Patch	Persistent Cross-Site Scripting through a Base64-encoded Image in a View in Splunk Enterprise \| SVD-2023-0202 https://advisory.splunk.com/advisories/SVD-2023-0202
Patch	‘createrss’ External Search Command Overwrites Existing RSS Feeds in Splunk Enterprise \| SVD-2023-0201 https://advisory.splunk.com/advisories/SVD-2023-0201

CVE Vulnerabilities

Status Published

CVE-2023-22931

In Splunk Enterprise versions below 8.1.13 and 8.2.10, the ‘createrss’ external search command overwrites existing Resource Description Format Site Summary (RSS) feeds without verifying permissions. This feature has been deprecated and disabled by default.

Status Published

CVE-2023-22932

In Splunk Enterprise 9.0 versions before 9.0.4, a View allows for Cross-Site Scripting (XSS) through the error message in a Base64-encoded image. The vulnerability affects instances with Splunk Web enabled. It does not affect Splunk Enterprise versions below 9.0.

Status Published

CVE-2023-22933

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting (XSS) in an extensible mark-up language (XML) View through the ‘layoutPanel’ attribute in the ‘module’ tag’. The vulnerability affects instances with Splunk Web enabled.

Status Published

CVE-2023-22934

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘pivot’ search processing language (SPL) command lets a search bypass [SPL safeguards for risky commands](https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards) using a saved search job. The vulnerability requires an authenticated user to craft the saved job and a higher privileged user to initiate a request within their browser. The vulnerability affects instances with Splunk Web enabled.

Status Published

CVE-2023-22935

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘display.page.search.patterns.sensitivity’ search parameter lets a search bypass [SPL safeguards for risky commands](https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards). The vulnerability requires a higher privileged user to initiate a request within their browser and only affects instances with Splunk Web enabled.

Status Published

CVE-2023-22936

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘search_listener’ parameter in a search allows for a blind server-side request forgery (SSRF) by an authenticated user. The initiator of the request cannot see the response without the presence of an additional vulnerability within the environment.

Status Published

CVE-2023-22937

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table upload feature let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now be one of the following only: .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gzl. For more information on lookup table files, see [About lookups](https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutlookupsandfieldactions).

Status Published

CVE-2023-22938

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘sendemail’ REST API endpoint lets any authenticated user send an email as the Splunk instance. The endpoint is now restricted to the ‘splunk-system-user’ account on the local instance.

Status Published

CVE-2023-22939

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘map’ search processing language (SPL) command lets a search [bypass SPL safeguards for risky commands](https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards). The vulnerability requires a higher privileged user to initiate a request within their browser and only affects instances with Splunk Web enabled.

Status Published

CVE-2023-22940

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, aliases of the ‘collect’ search processing language (SPL) command, including ‘summaryindex’, ‘sumindex’, ‘stash’,’ mcollect’, and ‘meventcollect’, were not designated as safeguarded commands. The commands could potentially allow for the exposing of data to a summary index that unprivileged users could access. The vulnerability requires a higher privileged user to initiate a request within their browser, and only affects instances with Splunk Web enabled.

Status Published

CVE-2023-22941

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, an improperly-formatted ‘INGEST_EVAL’ parameter in a [Field Transformation](https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managefieldtransforms) crashes the Splunk daemon (splunkd).

Status Published

CVE-2023-22942

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a cross-site request forgery in the Splunk Secure Gateway (SSG) app in the ‘kvstore_client’ REST endpoint lets a potential attacker update SSG [App Key Value Store (KV store)](https://docs.splunk.com/Documentation/Splunk/latest/Admin/AboutKVstore) collections using an HTTP GET request. SSG is a Splunk-built app that comes with Splunk Enterprise. The vulnerability affects instances with SSG and Splunk Web enabled.

Status Published

CVE-2023-22943

In Splunk Add-on Builder (AoB) versions below 4.1.2 and the Splunk CloudConnect SDK versions below 3.1.3, requests to third-party APIs through the REST API Modular Input incorrectly revert to using HTTP to connect after a failure to connect over HTTPS occurs. The vulnerability affects AoB and apps that AoB generates when using the REST API Modular Input functionality through its user interface. The vulnerability also potentially affects third-party apps and add-ons that call the *cloudconnectlib.splunktacollectorlib.cloud_connect_mod_input* Python class directly.

Last edited: 17 February 2023 3:27 pm