Skip to main content

SPLUNK / PRODUCT SECURITY / SVD-2022-1104

Denial of Service in Splunk Enterprise through search macros

Advisory ID: SVD-2022-1104

Published: 2022-11-02

CVSSv3.1 Score: 4.9, Medium

CWE: CWE-400

CVE ID: CVE-2022-43564

Last Update: 2022-11-23

CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Bug ID: SPL-220964

Description

In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a remote user who can create search macros and schedule search reports can cause a denial of service through the use of specially crafted search macros.

Solution

For Splunk Enterprise, upgrade versions to 8.1.12, 8.2.9, or higher.

For Splunk Cloud Platform versions below 9.0.2205, Splunk is actively patching and monitoring the Splunk Cloud instances. To request an immediate upgrade, determine which version of Splunk Cloud Platform you're running, then create a new support case.

Product Status

ProductVersionComponentAffected VersionFixed Version
Splunk Enterprise8.1REST API8.1.11 and lower8.1.12
Splunk Enterprise8.2REST API
8.2.0 to 8.2.88.2.9
Splunk Enterprise9.0REST API
Not affected-
Splunk Cloud Platform-REST API
9.0.2203.4 and lower9.0.2205

Mitigations and Workarounds

You can use a proxy to filter out requests to the `/services/search/parser` REST endpoint that include the option `ignore_parse_error=t`. You can either block these requests entirely or pass them through with that option removed. Other requests to the same endpoint do not cause the denial of service.

Detections

None

Severity 

Splunk rates the vulnerability as Medium, 4.9, with a CVSS Vectors of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H


Acknowledgements

Edmund Tran


Changelog

2022-11-23: Added Edmund Tran to Acknowledgements


Questions? Submit your question to Splunk Support.