Splunk / Product Security / SVD-2022-0803

Malformed ZIP file crashes Universal Forwarders and Splunk Enterprise through file monitoring input

Advisory ID: SVD-2022-0803

Published: 2022-08-16

CVSSv3.1 Score: 5.5, Medium

CWE: CWE-409

CVE ID: CVE-2022-37439

Last Update: 2022-08-16

CVSSv3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Bug ID: SPL-220982

Security Content: Splunk endpoint dos zip bomb vulnerability UF

Description

In Splunk Enterprise and Universal Forwarder versions in the following table, indexing a specially crafted ZIP file using the file monitoring input can result in a crash of the application. Attempts to restart the application would result in a crash and would require manually removing the malformed file. The vulnerability does not affect Splunk Enterprise 9.0 or higher.


Solution

For Splunk Enterprise and Universal Forwarder customers, upgrade versions to 8.1.11, 8.2.7.1, or higher.


Product Status

ProductVersionComponentAffected VersionFixed Version
Universal Forwarders8.1Monitor Processor8.1.10 and lower8.1.11
Universal Forwarders8.2Monitor Processor8.2.0 to 8.2.78.2.7.1
Universal Forwarders9.0-Not affected-
Splunk Enterprise8.1Monitor Processor8.1.10 and lower8.1.11
Splunk Enterprise8.2Monitor Processor8.2.0 to 8.2.78.2.7.1
Splunk Enterprise9.0-Not affected-


Mitigations and Workarounds

None


Detection

Splunk endpoint DOS zip bomb vulnerability UF

This search lets an operator retroactively identify potential Splunk app crashes resulting from SVD-2022-0803. It is not possible to detect the attack before a crash using this method. The provided search indicates Universal Forwarder errors from uploaded binary or compressed ZIP files, which this attack uses. Consider any results from this search for further research to determine if a malformed ZIP file caused the crash (noting that the file extension might have been altered).


Severity

Splunk rates the vulnerability as Medium. The prerequisites require local privileged access to write to a monitored directory that is not restricted to the Splunk, system, or root user. Hence, Splunk rates the vulnerability as 5.5 with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.


If your Splunk Enterprise instance monitors only the default directories that the $SPLUNK_HOME/etc/system/default/inputs.conf configuration file defines, then the instance is not affected and the vulnerability is informational. In addition, the vulnerability is informational if the filesystem privileges required to write to the monitored directories are root, system or the Splunk user.


Acknowledgments

Tim Ip at Adobe and Collegiate Penetration Testing Competition (CPTC)