Splunk / Product Security / SVD-2022-0301

Indexer denial-of-service via malformed S2S request

Advisory ID: SVD-2022-0301

Published: 2022-03-24

CVSSv3.1 Score: 7.5, High

CWE: CWE-125

 

CVE ID: CVE-2021-3422

Last Update: 2022-05-03

CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Security Content: Splunk DoS via Malformed S2S Request

 

Description

The lack of validation of a key-value field in the Splunk-to-Splunk protocol results in a denial-of-service in Splunk Enterprise instances configured to index Universal Forwarder traffic. See Enable a receiver for more information on configuring an indexer to listen for UF traffic. It does not impact Universal Forwarders. 

When Splunk forwarding is secured using TLS or a Token, the attack requires compromising the certificate or token, or both. As a partial mitigation and a security best practice, see Configure Splunk forwarding to use your own SSL certificates and Control forwarder access. Implementation of either or both reduces the severity to Medium. 

 

Affected Products

Product Version Affected Versions Fix Version
Splunk Enterprise 8.2 - 8.2.0
Splunk Enterprise 8.1 8.1.0 to 8.1.2 8.1.3
Splunk Enterprise 8.0 8.0.0 to 8.0.8 8.0.9
Splunk Enterprise 7.3 7.3.8 and earlier 7.3.9

 

Acknowledgments

Sharon Brizinov and Tal Keren of Claroty

 

Changelog

2022-05-03: Added CWE and Security Content references and links