Splunk response to CVE-2018-11409: Information Exposure
Table of Contents
At the time of this announcement, Splunk is not aware of any cases where these vulnerabilities have been actively exploited. Previous Product Security Announcements can be found on our Splunk Product Security Portal. Use SPL numbers when referencing issues in communication with Splunk. If there is no Common Vulnerabilities and Exposures (CVE) identifier listed with a vulnerability, it will be added once it is assigned by a CVE Numbering Authority. To standardize the calculation of severity scores for each vulnerability, when appropriate, Splunk uses Common Vulnerability Scoring System version 2 (CVSS v2).
Affected Products and Components
- Information Exposure in Splunk Enterprise
- Affected Product Versions: Splunk Enterprise versions 6.2.x, 6.3.x, 6.4.x and 6.5.x
- Affected Components: Search heads, heavy forwarders, universal forwarders and indexers.
Vulnerability Descriptions and Splunk Responses
Information Exposure in Splunk Enterprise
Description: Splunk Enterprise exposes partial information about the host operating system, hardware and Splunk license. Splunk Enterprise before 6.6.0 exposes this information without authentication. Splunk Enterprise 6.6.0 and later exposes this information only to authenticated Splunk users. Based on the information exposure, Splunk characterizes this issue as a low severity impact.
CVSS Severity (version 2.0):
|CVSS Base Score||5.0|
|CVSS Impact Subscore||2.9|
|CVSS Exploitability Subscore||10|
|Overall CVSS Score||3.6|
Splunk response to Information Exposure in Splunk Enterprise
The REST endpoint that exposes system information is also necessary for the proper operation of Splunk clustering and instrumentation. Therefore, Splunk recommends upgrading to the latest version to reduce the risk of this vulnerability.