Splunk has released critical maintenance releases and a patch to address several vulnerabilities in Splunk versions 4.0 through 4.1.1. At the time of this announcement, Splunk is not aware of any cases where any of these vulnerabilities have been exploited.
Due to the threat posed by a successful attack, Splunk strongly recommends that all instances of Splunk running the Splunk Web component be updated immediately to the newest maintenance release.
If you are unable to perform an immediate upgrade, Splunk strongly recommends that you immediately apply a critical patch to all affected versions of Splunk running Splunk Web to address the most serious vulnerability.
Splunk also recommends that you apply as many components of the Splunk Hardening Standards as possible to mitigate the risk and impact of exploitation.
Security vulnerabilities addressed by this critical maintenance release and patch affect the following versions of Splunk running the Splunk Web component:
Security vulnerabilities addressed by this critical maintenance release and patch affect the Splunk Web component of the Splunk server software. Splunk Web refers to the web server used to deliver the Splunk user interface to the client browser. By default, Splunk light forwarders disable Splunk Web and are not affected.
Upgrades and Patches
Due to the threat posed by the possibility of a successful attack, Splunk strongly recommends that all instances of Splunk running the Splunk Web component be updated immediately to the newest maintenance release.
Splunk Version | Recommendation | Option 2 |
---|---|---|
4.0 to 4.0.10 | Upgrade to version 4.0.11 | Apply the critical security patch |
4.1 to 4.1.1 | Upgrade to version the latest version of Splunk | Apply the critical security patch |
Splunk releases are cumulative, meaning that releases posted subsequent to those we are posting today will contain these fixes to these vulnerabilities as well as new features and fixes to other bugs and flaws.
If you are unable to perform an upgrade, Splunk strongly recommends that you apply a critical patch to all versions of Splunk running Splunk Web immediately. However, the patch supplied will only mitigate the most critical vulnerability issued in this announcement, Directory traversal in Splunk Web (SPL-31194).
Splunk recommends that customers only apply the patch as a last resort, in situations where they are unable to upgrade immediately.
Splunk would like to extend a huge thank you to aaron@vtty.com for responsibly reporting each of the vulnerabilities fixed in the newest maintenance releases and patch. We have credited him below in each vulnerability description.
The following are descriptions and ratings for vulnerabilities that are fixed in the newest maintenance releases. Descriptions and ratings for previous security fixes can be found in previous Product Security Announcements on our Product Security Portal.
SPL numbers are to be used in communication with Splunk to address specific vulnerabilities. If there is no CVE listed with the vulnerability, the CVE will be added as it is posted.
Description: Splunk Web is vulnerable to directory traversal attacks without authentication, which could result in an attacker being able to disclose sensitive information from the Splunk server.
Versions Affected: Splunk 4.0.0 - 4.0.10 and Splunk 4.1.0 - 4.1.1
Credit: Thanks to aaron@vtty.com for responsibly disclosing this issue.
CVSS Base Score | 9 |
CVSS Impact Subscore | 8.5 |
CVSS Exploitability Subscore | 10 |
Mitigation and Remediation:
Description: Splunk Web is vulnerable to directory traversal attacks via the upload interface, which allows an authenticated user the ability to modify sensitive information on the Splunk server.
Versions Affected: Splunk 4.0.0 - 4.0.10 and Splunk 4.1.0 - 4.1.1
Credit: Thanks to aaron@vtty.com for responsibly disclosing this issue.
CVSS Base Score | 8.5 |
CVSS Impact Subscore | 10 |
CVSS Exploitability Subscore | 6.8 |
Mitigation and Remediation:
Description: Splunk Web is vulnerable to reflective cross-site scripting and directory traversal attacks when handling redirects
Versions Affected: Splunk 4.0.0 - 4.0.10 and Splunk 4.1.0 - 4.1.1
Credit: Thanks to aaron@vtty.com for responsibly disclosing this issue.
CVSS Base Score | 7.5 |
CVSS Impact Subscore | 8.5 |
CVSS Exploitability Subscore | 6.8 |
Mitigation and Remediation:
Description: Splunk Web is vulnerable to user->user or user->admin cross-site scripting attacks that could lead to information disclosure.
Versions Affected: Splunk 4.0.0 - 4.0.10 and Splunk 4.1.0 - 4.1.1
Credit: Thanks to aaron@vtty.com for responsibly disclosing this issue.
CVSS Base Score | 6 |
CVSS Impact Subscore | 6.4 |
CVSS Exploitability Subscore | 6.8 |
Mitigation and Remediation:
Description: Splunk Web is vulnerable to user->user or user->admin cross-site scripting attacks that could lead to information disclosure.
Versions Affected: Splunk 4.0.0 - 4.0.10 and Splunk 4.1.0 - 4.1.1
Credit: Thanks to aaron@vtty.com for responsibly disclosing this issue.
CVSS Base Score | 6 |
CVSS Impact Subscore | 6.4 |
CVSS Exploitability Subscore | 6.8 |
Mitigation and Remediation:
Description: Splunk Web is vulnerable cross-site scripting in accepting user input.
Versions Affected: Splunk 4.0.0 - 4.0.10 and Splunk 4.1.0 - 4.1.1
Credit: Thanks to aaron@vtty.com for responsibly disclosing this issue.
CVSS Base Score | 6 |
CVSS Impact Subscore | 6.4 |
CVSS Exploitability Subscore | 6.8 |
Mitigation and Remediation:
Description: Splunk Web is vulnerable to user->user or user->admin cross-site scriptin attacks that could lead to information disclosure.
Versions Affected: Splunk 4.0.0 - 4.0.10 and Splunk 4.1.0 - 4.1.1
Credit: Thanks to aaron@vtty.com for responsibly disclosing this issue.
CVSS Base Score | 6 |
CVSS Impact Subscore | 6.4 |
CVSS Exploitability Subscore | 6.8 |
Mitigation and Remediation: