Indexer denial-of-service via malformed S2S request
Advisory ID: SVD-2022-0301
CVSSv3.1 Score: 7.5, High
CVE ID: CVE-2021-3422
Last Update: 2022-05-03
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Security Content: Splunk DoS via Malformed S2S Request
The lack of validation of a key-value field in the Splunk-to-Splunk protocol results in a denial-of-service in Splunk Enterprise instances configured to index Universal Forwarder traffic. See Enable a receiver for more information on configuring an indexer to listen for UF traffic. It does not impact Universal Forwarders.
When Splunk forwarding is secured using TLS or a Token, the attack requires compromising the certificate or token, or both. As a partial mitigation and a security best practice, see Configure Splunk forwarding to use your own SSL certificates and Control forwarder access. Implementation of either or both reduces the severity to Medium.
|Product||Version||Affected Versions||Fix Version|
|Splunk Enterprise||8.1||8.1.0 to 8.1.2||8.1.3|
|Splunk Enterprise||8.0||8.0.0 to 8.0.8||8.0.9|
|Splunk Enterprise||7.3||7.3.8 and earlier||7.3.9|
Sharon Brizinov and Tal Keren of Claroty
2022-05-03: Added CWE and Security Content references and links