Cross-site Scripting in Splunk Web with 404 Responses in Internet Explorer - June 7, 2010

Table of Contents

Description

Splunk version 4.1.3 contains a fix for a cross-site scripting vulnerability with Splunk Web when accessed via Internet Explorer. When returning a "404 Not Found" response to a request for a non-existent resource, Splunk will render the contents of the HTTP "Referer". An attacker could trick a Splunk user into visiting a specially crafted web page in order to exploit this vulnerability. This vulnerability is only confirmed as valid in Internet Explorer, as Firefox will escape the special characters ‘" < >’ when rendering the link.

Splunk also recommends that you apply as many components of the Splunk Hardening Standards as possible to mitigate the risk and impact of exploitation.

Products and Components Affected

Security vulnerabilities addressed by this maintenance release affect the following versions of Splunk running the Splunk Web component:

  • Splunk 4.0 through 4.1.2

Security vulnerabilities addressed by this maintenance release affect the Splunk Web component of the Splunk server software. Splunk Web refers to the web server used to deliver the Splunk user interface to the client browser. By default, Splunk light forwarders disable Splunk Web and are not affected.

Upgrades

Splunk recommends that all vulnerable instances of Splunk running the Splunk Web component be updated to version 4.1.3.


Splunk Version Recommendation
4.0 to 4.1.2 Upgrade to version 4.1.3

Splunk releases are cumulative, meaning that releases posted subsequent to those we are posting today will contain these fixes to these vulnerabilities as well as new features and fixes to other bugs and flaws.

Credit Statement

Splunk would like to credit Patrik Nordlén for responsibly reporting this vulnerability. Thanks Patrik!

Vulnerability Descriptions and Ratings

The following are descriptions and ratings for vulnerabilities that are fixed in the newest maintenance releases. Descriptions and ratings for previous security fixes can be found in previous Product Security Announcements on our Product Security Portal.

SPL numbers are to be used in communication with Splunk to address specific vulnerabilities. If there is no CVE listed with the vulnerability, the CVE will be added as it is posted.

Cross-site Scripting in Splunk Web with 404 responses to Internet Explorer (SPL-31736) (CVE-2010-2429)

Description: Splunk Web is vulnerable to cross-site scripting when a malicious HTTP 'Referer' is rendered in Internet Explorer as part of a '404 Not Found' reply.

Versions Affected: Splunk 4.0.0 - 4.1.2

Credit:Thanks to Patrik Nordlén for responsibly disclosing this issue.

CVSS Severity (version 2.0):

CVSS Base Score 4
CVSS Impact Subscore 4.9
CVSS Exploitability Subscore 4.9

CVSS Version 2 Metrics

  • Access Vector: Network exploitable
  • Access Complexity: High
  • Authentication: None
  • Impact Type:
    • Allows partial confidentiality and integrity violation
  • Exploitability: Proof of concept code
  • Remediation Level: Official fix
  • Report Confidence: Confirmed

Mitigation and Remediation:

  • Splunk recommends upgrading to the latest maintenance release supplied by Splunk.