Splunk / Product Security / SVD-2022-0608

Splunk Enterprise deployment servers allow client publishing of forwarder bundles

Advisory ID: SVD-2022-0608

Published: 2022-06-14

CVSSv3.1 Score: 9.0, Critical

CWE: CWE-284

CSAF: 2022-06-16-svd-2022-0608 

CVE ID: CVE-2022-32158

Last Update: 2022-06-16

CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Bug ID: SPL-176829

 

Description

Splunk Enterprise deployment servers in versions before 9.0 let clients deploy forwarder bundles to other deployment clients through the deployment server. An attacker that compromised a Universal Forwarder endpoint could use the vulnerability to execute arbitrary code on all other Universal Forwarder endpoints subscribed to the deployment server. 

The Splunk Cloud Platform (SCP) does not offer or use deployment servers and is not affected by the vulnerability. For SCP customers that run deployment servers, upgrade to version 9.0 or higher. At the time of publishing, we have no evidence of exploitation of this vulnerability by external parties.

 

Solution

Upgrade Splunk Enterprise deployment servers to version 9.0 or higher

 

Product Status

Product Affected Versions
Splunk Enterprise Versions before 9.0

 

Acknowledgments

Nadim Taha at Splunk

 

Changelog

2022-06-14: Changed Solution from "Upgrade Splunk Enterprise deployment servers to version 9.0 or higher, upgrade Universal Forwarders to version 9.0 or higher, and Configure authentication for deployment servers and clients." to "Upgrade Splunk Enterprise deployment servers to version 9.0 or higher". Remediation only requires updating the Splunk Enterprise deployment servers to 9.0. Updating the Universal Forwarders does not remediate or mitigate CVE-2022-32158. 

2022-06-16: Removed the "Security Content" link.