Splunk / Product Security / SVD-2022-0604

Risky commands warnings in Splunk Enterprise dashboards

Advisory ID: SVD-2022-0604

Published: 2022-06-14

CVSSv3.1 Score: 6.8Medium

CWE: CWE-20

CSAF: 2022-06-14-svd-2022-0604

CVE ID: CVE-2022-32154

Last Update: 2022-06-14

CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Bug ID: SPL-201816

Security Content: 
  Splunk Command and Scripting Interpreter Risky Commands
  Splunk Command and Scripting Interpreter Risky SPL MLTK
  Splunk Command and Scripting Interpreter Delete Usage

Description

Dashboards in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2106 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request. The result bypasses SPL safeguards for risky commands (i.e., Search Injection). See New capabilities can limit access to some custom and potentially risky commands for more information. Note that the attack is browser-based and an attacker cannot exploit it at will. 

The vulnerability affects instances with Splunk Web enabled. See Disable unnecessary Splunk Enterprise components and the web.conf configuration file for more information on disabling Splunk Web in forwarders.

At the time of publishing, we have no evidence of exploitation of this vulnerability by external parties.

 

Solution

For Splunk Enterprise, upgrade to version 9.0 or higher.

For Splunk Cloud Platform versions below 8.2.2106, Splunk is actively patching and monitoring the Splunk Cloud instances. To request an immediate upgrade, create a new support case. Check Determine which version of Splunk Enterprise you're running prior to submitting.

 

Product Status

Product Affected Versions
Splunk Enterprise Versions before 9.0
Splunk Cloud Platform Versions before 8.2.2106

 

Acknowledgments

Chris Green at Splunk

Danylo Dmytriiev (DDV_UA)

Anton (therceman)