Announcements

Splunk 4.1.5 addresses two security vulnerabilities

Table of Contents

 

Description
Products and Components Affected
Upgrades
Credit Statement
Vulnerability Descriptions and Ratings
Splunk’s XML Parser is Vulnerable to XXE (SPL-31061) (CVE-2010-3322)
SPLUNKD_SESSION_KEY parameter allows session hijacking (SPL-31094) (CVE-2010-3323)

Description

Splunk version 4.1.5 contains fixes for two security vulnerabilities:

  • Splunk’s XML Parser is vulnerable to XXE (SPL-31061) ( CVE-2010-3322)
  • SPLUNKD_SESSION_KEY parameter allows session hijacking (SPL-31094) (CVE-2010-3323)

At the time of this announcement, Splunk is not aware of any cases where these vulnerabilities have been exploited. Splunk recommends that customers upgrade any instances of Splunk running Splunk Web, such as index and search servers, to the latest maintenance release as soon as possible.

Splunk also recommends that you apply as many components of the Splunk Hardening Standards as possible to mitigate the risk and impact of exploitation.

Products and Components Affected

Security vulnerabilities addressed by this maintenance release affect the following versions of Splunk running the Splunk Web component:

  • Splunk 4.0 through 4.1.4

Security vulnerabilities addressed by this maintenance release affect the Splunk Web component of the Splunk server software. Splunk Web refers to the web server used to deliver the Splunk user interface to the client browser. By default, Splunk light forwarders disable Splunk Web and are not affected.

Upgrades

Splunk recommends that all vulnerable instances of Splunk running the Splunk Web component be updated to the latest maintenance release.

 

Splunk Version Recommendation
4.0 to 4.1.4 Upgrade to the latest maintenance release

 

Splunk releases are cumulative, meaning that releases posted subsequent to those we are posting today will contain these fixes to these vulnerabilities as well as new features and fixes to other bugs and flaws.

Credit Statement

Splunk would like to credit aaron@vtty.com for responsibly reporting these vulnerabilities. Thanks again, Aaron!

Vulnerability Descriptions and Ratings

The following are descriptions and ratings for vulnerabilities that are fixed in the newest maintenance releases. Descriptions and ratings for previous security fixes can be found in previous Product Security Announcements on our Product Security Portal.

SPL numbers are to be used in communication with Splunk to address specific vulnerabilities. If there is no CVE listed with the vulnerability, the CVE will be added as it is posted.

Splunk’s XML Parser is Vulnerable to XXE (SPL-31061) (CVE-2010-3322)

Description: Splunk’s XML parser is vulnerably to XXE (XML eXternal Entity) attacks. An authenticated user could exploit this vulnerability, causing information disclosure and privilege escalation.

Versions Affected: Splunk 4.0.0 - 4.1.4

Credit:Thanks to aaron@vtty.com for responsibly disclosing this issue.

CVSS Severity (version 2.0):

CVSS Base Score 6
CVSS Impact Subscore 6.4
CVSS Exploitability Subscore 6.8

CVSS Version 2 Metrics

  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: Single instance
  • Impact Type:
    • Allows partial confidentiality, integrity and availability violation
  • Exploitability: Proof of concept code
  • Remediation Level: Official fix
  • Report Confidence: Confirmed

Mitigation and Remediation:

  • Splunk recommends upgrading to the latest maintenance release supplied by Splunk.

SPLUNKD_SESSION_KEY parameter allows session hijacking (SPL-31094) (CVE-2010-3323)

Description: The parameter SPLUNKD_SESSION_KEY is vulnerable to session hijacking. An authenticated user could be tricked into visiting a specially crafted web page that could disclose a valid splunkd session key to an attacker.

Versions Affected: Splunk 4.0.0 - 4.1.4

Credit:Thanks to aaron@vtty.com for responsibly disclosing this issue.

CVSS Severity (version 2.0):

CVSS Base Score 4.6
CVSS Impact Subscore 6.4
CVSS Exploitability Subscore 3.9

CVSS Version 2 Metrics

  • Access Vector: Network
  • Access Complexity: High
  • Authentication: Single instance
  • Impact Type:
    • Allows partial confidentiality, integrity and availability violation
  • Exploitability: Proof of concept code
  • Remediation Level: Official fix
  • Report Confidence: Confirmed

Mitigation and Remediation:

  • Splunk recommends upgrading to the latest maintenance release supplied by Splunk.

 

Document History

  • 2010-September-9: Rev 1. Initial Release

Questions? Submit your question to Splunk Support.

PLATFORM
PLATFORM
SECURITY
SECURITY
IT OPERATIONS & DEVOPS
IT OPERATIONS & DEVOPS
SOLUTIONS BY INITIATIVE
SOLUTIONS BY INITIATIVE
SOLUTIONS BY FUNCTION
SOLUTIONS BY FUNCTION
SOLUTIONS BY INDUSTRY
SOLUTIONS BY INDUSTRY
WHY SPLUNK?
WHY SPLUNK?
SUPPORT
SUPPORT
RESOURCES
RESOURCES
FOR DEVELOPERS
FOR DEVELOPERS
COMPANY
COMPANY
SPLUNK SITES
SPLUNK SITES
Sitemap
Privacy
Website Terms of Use
Splunk Licensing Terms
Export Control
Modern Slavery Statement
Splunk Patents

© 2005-2021 Splunk Inc. All rights reserved.

Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.