Splunk 4.2.3 addresses two vulnerabilities

Advisory ID: SP-CAAAGD3

CVE ID: -

Published: 2011-08-09

Last Update: 2011-08-09

CVSSv3.1 Score: -, 

CVSSv3.1 Vector: -

CWE: -

Bug ID: SPL-40804, SPL-40645

Description

Splunk version 4.2.3 addresses two vulnerabilities:

  • Splunkd Remote Denial of Service Vulnerability (SPL-40645)
  • SplunkWeb Reflected Cross-Site Scripting Vulnerability (SPL-40804)

At the time of this announcement, Splunk is not aware of any cases where this vulnerability has been exploited. Splunk recommends that customers upgrade any instances of Splunk running Splunk Web, such as index and search servers, to the latest maintenance release as soon as possible.

Splunk also recommends that you apply as many components of the Splunk Hardening Standards as possible to mitigate the risk and impact of exploitation.

Products and Components Affected

Security vulnerabilities addressed by this maintenance release affect the following versions of Splunk running Splunk Web:

  • Splunk 4.0 through 4.2.2

The Splunkd Remote Denial of Service Vulnerability (SPL-40645) addressed by this maintenance release affects instances of Splunk server software or Splunk universal forwarder software that have been configured to receive data from remote Splunk forwarders over an SSL-encrypted channel. By default, Splunk does not use SSL to send data to or receive data from other Splunk instances on either the Splunk server software or the Splunk universal forwarder software.

The SplunkWeb Reflected Cross-Site Scripting Vulnerability (SPL-40804) addressed by this maintenance release affects the Splunk Web component of the Splunk server software. Splunk Web refers to the web server used to deliver the Splunk user interface to the client browser.

Upgrades

Splunk recommends that all vulnerable instances of Splunk running the Splunk Web component or that have been configured to receive data from remote Splunk forwarders over an SSL-encrypted channel be updated to the latest maintenance release.

Splunk Version Recommendation

4.0 to 4.2.2 Upgrade to the latest maintenance release

Splunk releases are cumulative, meaning that releases posted subsequent to those we are posting today will contain these fixes to these vulnerabilities as well as new features and fixes to other bugs and flaws.

Credit

Splunk would like to credit the Commonwealth Bank of Australia’s CBAcert team with the responsible disclosure of both of the issues addressed in this advisory.

Vulnerability Descriptions and Ratings

The following are descriptions and ratings for vulnerabilities that are fixed in the newest maintenance releases. Descriptions and ratings for previous security fixes can be found in previous Product Security Announcements on our Product Security Portal.

SPL numbers are to be used in communication with Splunk to address specific vulnerabilities. If there is no CVE listed with the vulnerability, the CVE will be added as it is posted.

Splunkd Remote Denial of Service Vulnerability (SPL-40645)

Description: A remote denial of service vulnerability was identified in Splunk instances configured to receive data from other Splunk instances over an SSL-encrypted channel. An attacker could use a specially crafted packet to cause a remote instance of Splunk configured to receive data over an SSL-encrypted channel to crash.

Versions Affected: Splunk 4.0 - 4.2.2

Credit: Splunk would like to credit the Commonwealth Bank of Australia’s CBAcert team with the responsible disclosure of this issue.

CVSS Severity (version 2.0):

CVSS Base Score 5.8

CVSS Impact Subscore 7.8

CVSS Exploitability Subscore 4.4

CVSS Version 2 Metrics

  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: Single instance
  • Impact Type:
    • Allows partial integrity and complete availability violation
  • Exploitability: Proof of concept code
  • Remediation Level: Official fix
  • Report Confidence: Confirmed

    Mitigation and Remediation:

  • Splunk recommends upgrading to the latest maintenance release supplied by Splunk.

Splunk Web Reflected Cross-Site Scripting Vulnerability (SPL-40804)

Description: A reflected cross-site scripting vulnerability was identified in Splunk Web. An attacker could trick a user into clicking a specially crafted link that would disclose a valid Splunk session key to the attacker.

Versions Affected: Splunk 4.0 - 4.2.2

Credit: Splunk would like to credit the Commonwealth Bank of Australia’s CBAcert team with the responsible disclosure of this issue.

CVSS Severity (version 2.0):

CVSS Base Score 5.5

CVSS Impact Subscore 4.9

CVSS Exploitability Subscore 8.0

CVSS Version 2 Metrics

  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single instance
  • Impact Type:
    • Allows partial confidentiality and integrity violation
  • Exploitability: Proof of concept code
  • Remediation Level: Official fix
  • Report Confidence: Confirmed

    Mitigation and Remediation:

  • Splunk recommends upgrading to the latest maintenance release supplied by Splunk.

Document History

  • 2011-August-9: Rev 1. Initial Release
  • 2011-August-9: Rev 2.
    • Changed description of 40804 to accurately reflect risk.
    • Changed credit statement to accurately reflect team name.