Risky commands warnings in Splunk Enterprise dashboards
Advisory ID: SVD-2022-0604
CVE ID: CVE-2022-32154
Published: 2022-06-14
Last Update: 2022-07-18
CVSSv3.1 Score: 6.8, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE: CWE-20
Bug ID: SPL-201816
Description
Dashboards in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2106 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request. The result bypasses SPL safeguards for risky commands (i.e., Search Injection). See New capabilities can limit access to some custom and potentially risky commands for more information. The vulnerability is browser-based and is not exploitable at will. It requires the attacker to initiate a request within the victim’s browser (e.g., phishing) or compromise an authorized user’s account.
The vulnerability affects instances with Splunk Web enabled. See Disable unnecessary Splunk Enterprise components and the web.conf configuration file for more information on disabling Splunk Web in forwarders.
At the time of publishing, we have no evidence of exploitation of this vulnerability by external parties.
Solution
For Splunk Enterprise, upgrade to version 9.0 or higher.
For Splunk Cloud Platform versions below 8.2.2106, Splunk is actively patching and monitoring the Splunk Cloud instances. To request an immediate upgrade, create a new support case. Check Determine which version of Splunk Enterprise you’re running prior to submitting.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.0 | - | Versions before 9.0 | 9.0.0 |
| Splunk Cloud Platform | - | - | Versions before 8.1.2106 | 8.1.2106 |
Detections
Severity Considerations
Splunk strongly recommends securing your Splunk environment with hardened TLS configurations. See Securing the Splunk platform with TLS for more information. However, the vulnerability assumes that you have configured your Splunk platform instances to use transport layer security (TLS) certificates for secure network connections. If you have not and are using the default certificates, the vulnerability is not applicable and is informational.
Acknowledgments
Chris Green at Splunk
Danylo Dmytriiev (DDV_UA)
Anton (therceman)
Changelog
2022-07-18: Replaced “Note that the attack is browser-based and an attacker cannot exploit it at will.” with “The vulnerability is browser-based and is not exploitable at will. It requires the attacker to initiate a request within the victim’s browser (e.g., phishing) or compromise an authorized user’s account”