Splunk Critical Maintenance Release and Patch - May 3rd, 2010

Table of Contents

Description

Splunk has released critical maintenance releases and a patch to address several vulnerabilities in Splunk versions 4.0 through 4.1.1. At the time of this announcement, Splunk is not aware of any cases where any of these vulnerabilities have been exploited.

Due to the threat posed by a successful attack, Splunk strongly recommends that all instances of Splunk running the Splunk Web component be updated immediately to the newest maintenance release.

If you are unable to perform an immediate upgrade, Splunk strongly recommends that you immediately apply a critical patch to all affected versions of Splunk running Splunk Web to address the most serious vulnerability.

Splunk also recommends that you apply as many components of the Splunk Hardening Standards as possible to mitigate the risk and impact of exploitation.

Products and Components Affected

Security vulnerabilities addressed by this critical maintenance release and patch affect the following versions of Splunk running the Splunk Web component:

  • Splunk 4.0 through 4.0.10
  • Splunk 4.1 through 4.1.1

Security vulnerabilities addressed by this critical maintenance release and patch affect the Splunk Web component of the Splunk server software. Splunk Web refers to the web server used to deliver the Splunk user interface to the client browser. By default, Splunk light forwarders disable Splunk Web and are not affected.

Upgrades and Patches

Due to the threat posed by the possibility of a successful attack, Splunk strongly recommends that all instances of Splunk running the Splunk Web component be updated immediately to the newest maintenance release.


Splunk Version Recommendation Option 2
4.0 to 4.0.10 Upgrade to version 4.0.11 Apply the critical security patch
4.1 to 4.1.1 Upgrade to version the latest version of Splunk Apply the critical security patch

Splunk releases are cumulative, meaning that releases posted subsequent to those we are posting today will contain these fixes to these vulnerabilities as well as new features and fixes to other bugs and flaws.

If you are unable to perform an upgrade, Splunk strongly recommends that you apply a critical patch to all versions of Splunk running Splunk Web immediately. However, the patch supplied will only mitigate the most critical vulnerability issued in this announcement, Directory traversal in Splunk Web (SPL-31194).

Splunk recommends that customers only apply the patch as a last resort, in situations where they are unable to upgrade immediately.

Credit Statement

Splunk would like to extend a huge thank you to aaron@vtty.com for responsibly reporting each of the vulnerabilities fixed in the newest maintenance releases and patch. We have credited him below in each vulnerability description.

Vulnerability Descriptions and Ratings

The following are descriptions and ratings for vulnerabilities that are fixed in the newest maintenance releases. Descriptions and ratings for previous security fixes can be found in previous Product Security Announcements on our Product Security Portal.

SPL numbers are to be used in communication with Splunk to address specific vulnerabilities. If there is no CVE listed with the vulnerability, the CVE will be added as it is posted.

Directory traversal in Splunk Web (SPL-31194) (CVE-2010-2502)

Description: Splunk Web is vulnerable to directory traversal attacks without authentication, which could result in an attacker being able to disclose sensitive information from the Splunk server.

Versions Affected: Splunk 4.0.0 - 4.0.10 and Splunk 4.1.0 - 4.1.1

Credit: Thanks to aaron@vtty.com for responsibly disclosing this issue.

CVSS Severity (version 2.0):

CVSS Base Score 9
CVSS Impact Subscore 8.5
CVSS Exploitability Subscore 10

CVSS Version 2 Metrics

  • Access Vector: Network exploitable
  • Access Complexity: Low
  • Authentication: None
  • Impact Type:
    • Provides unauthorized access
    • Allows complete confidentiality violation
    • Allows partial integrity, and availability violation
    • Allows unauthorized disclosure of information
  • Exploitability: Proof of concept code
  • Remediation Level: Official fix
  • Report Confidence: Confirmed

Mitigation and Remediation:

  • Splunk recommends upgrading to the latest maintenance release supplied by Splunk. Or, at the minimum, apply the critical patch supplied by Splunk

Directory traversal with uploads in Splunk Web (SPL-31063) (CVE-2010-2502)

Description: Splunk Web is vulnerable to directory traversal attacks via the upload interface, which allows an authenticated user the ability to modify sensitive information on the Splunk server.

Versions Affected: Splunk 4.0.0 - 4.0.10 and Splunk 4.1.0 - 4.1.1

Credit: Thanks to aaron@vtty.com for responsibly disclosing this issue.

CVSS Severity (version 2.0):

CVSS Base Score 8.5
CVSS Impact Subscore 10
CVSS Exploitability Subscore 6.8

CVSS Version 2 Metrics

  • Access Vector: Network exploitable
  • Access Complexity: Medium
  • Authentication: Single Instance
  • Impact Type:
    • Provides unauthorized access
    • Allows complete confidentiality, integrity and availability violation
    • Allows unauthorized disclosure of information
  • Exploitability: Proof of concept code
  • Remediation Level: Official fix
  • Report Confidence: Confirmed

Mitigation and Remediation:

  • Apply the latest maintenance release supplied by Splunk

Reflective Cross-site Scripting and Directory Traversal with Redirects in Splunk Web (SPL-31067) (CVE-2010-2503)

Description: Splunk Web is vulnerable to reflective cross-site scripting and directory traversal attacks when handling redirects

Versions Affected: Splunk 4.0.0 - 4.0.10 and Splunk 4.1.0 - 4.1.1

Credit: Thanks to aaron@vtty.com for responsibly disclosing this issue.

CVSS Severity (version 2.0):

CVSS Base Score 7.5
CVSS Impact Subscore 8.5
CVSS Exploitability Subscore 6.8

CVSS Version 2 Metrics

  • Access Vector: Network exploitable
  • Access Complexity: Medium
  • Authentication: Single Instance
  • Impact Type:
    • Provides unauthorized access
    • Allows complete confidentiality violation
    • Allows partial integrity and availability violation
    • Allows unauthorized disclosure of information
  • Exploitability: Proof of concept code
  • Remediation Level: Official fix
  • Report Confidence: Confirmed

Mitigation and Remediation:

  • Apply the latest maintenance release supplied by Splunk

Cross-site Scripting with Splunk Web (SPL-31084) (CVE-2010-2503)

Description: Splunk Web is vulnerable to user->user or user->admin cross-site scripting attacks that could lead to information disclosure.

Versions Affected: Splunk 4.0.0 - 4.0.10 and Splunk 4.1.0 - 4.1.1

Credit: Thanks to aaron@vtty.com for responsibly disclosing this issue.

CVSS Severity (version 2.0):

CVSS Base Score 6
CVSS Impact Subscore 6.4
CVSS Exploitability Subscore 6.8

CVSS Version 2 Metrics

  • Access Vector: Network exploitable
  • Access Complexity: Medium
  • Authentication: Single Instance
  • Impact Type:
    • Allows partial confidentiality, integrity and availability violation
    • Allows unauthorized disclosure of information
  • Exploitability: Proof of concept code
  • Remediation Level: Official fix
  • Report Confidence: Confirmed

Mitigation and Remediation:

  • Apply the latest maintenance release supplied by Splunk

Cross-site Scripting with User Input in Splunk Web (SPL-31085) (CVE-2010-2503)

Description: Splunk Web is vulnerable cross-site scripting in accepting user input.

Versions Affected: Splunk 4.0.0 - 4.0.10 and Splunk 4.1.0 - 4.1.1

Credit: Thanks to aaron@vtty.com for responsibly disclosing this issue.

CVSS Severity (version 2.0):

CVSS Base Score 6
CVSS Impact Subscore 6.4
CVSS Exploitability Subscore 6.8

CVSS Version 2 Metrics

  • Access Vector: Network exploitable
  • Access Complexity: Medium
  • Authentication: Single Instance
  • Impact Type:
    • Allows partial confidentiality, integrity and availability violation
    • Allows unauthorized disclosure of information
  • Exploitability: Proof of concept code
  • Remediation Level: Official fix
  • Report Confidence: Confirmed

Mitigation and Remediation:

  • Apply the latest maintenance release supplied by Splunk

HTTP Header Injection in Splunk Web (SPL-31066) (CVE-2010-2504)

Description: Splunk Web is vulnerable to user->user or user->admin cross-site scriptin attacks that could lead to information disclosure.

Versions Affected: Splunk 4.0.0 - 4.0.10 and Splunk 4.1.0 - 4.1.1

Credit: Thanks to aaron@vtty.com for responsibly disclosing this issue.

CVSS Severity (version 2.0):

CVSS Base Score 6
CVSS Impact Subscore 6.4
CVSS Exploitability Subscore 6.8

CVSS Version 2 Metrics

  • Access Vector: Network exploitable
  • Access Complexity: Medium
  • Authentication: Single Instance
  • Impact Type:
    • Allows partial confidentiality, integrity and availability violation
    • Allows unauthorized disclosure of information
  • Exploitability: Proof of concept code
  • Remediation Level: Official fix
  • Report Confidence: Confirmed

Mitigation and Remediation:

  • Apply the latest maintenance release supplied by Splunk