Indexer denial-of-service via malformed S2S request
Advisory ID: SVD-2022-0301 Published: 2022-03-24 CVSSv3.1 Score: 7.5, High CWE: CWE-125
|
CVE ID: CVE-2021-3422 Last Update: 2022-05-03 CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Security Content: Splunk DoS via Malformed S2S Request
|
Description
The lack of validation of a key-value field in the Splunk-to-Splunk protocol results in a denial-of-service in Splunk Enterprise instances configured to index Universal Forwarder traffic. See Enable a receiver for more information on configuring an indexer to listen for UF traffic. It does not impact Universal Forwarders.
When Splunk forwarding is secured using TLS or a Token, the attack requires compromising the certificate or token, or both. As a partial mitigation and a security best practice, see Configure Splunk forwarding to use your own SSL certificates and Control forwarder access. Implementation of either or both reduces the severity to Medium.
Affected Products
Product | Version | Affected Versions | Fix Version |
---|---|---|---|
Splunk Enterprise | 8.2 | - | 8.2.0 |
Splunk Enterprise | 8.1 | 8.1.0 to 8.1.2 | 8.1.3 |
Splunk Enterprise | 8.0 | 8.0.0 to 8.0.8 | 8.0.9 |
Splunk Enterprise | 7.3 | 7.3.8 and earlier | 7.3.9 |
Acknowledgments
Sharon Brizinov and Tal Keren of Claroty
Changelog
2022-05-03: Added CWE and Security Content references and links