Advisory ID: SVD-2022-1107
CVSSv3.1 Score: 8.8, High
CVE ID: CVE-2022-43567
Last Update: 2022-11-02
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Bug ID: SPL-226837
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run arbitrary operating system commands remotely through the use of specially crafted requests to the mobile alerts feature in the Splunk Secure Gateway app.
For Splunk Enterprise, upgrade versions to 8.1.12, 8.2.9, 9.0.2, or higher.
For Splunk Cloud Platform versions below 9.0.2205, Splunk is actively patching and monitoring the Splunk Cloud instances. To request an immediate upgrade, determine which version of Splunk Cloud Platform you're running, then create a new support case.
|Product||Version||Component||Affected Version||Fixed Version|
|Splunk Enterprise||8.1||Splunk Secure Gateway||8.1.11 and lower||8.1.12|
|Splunk Enterprise||8.2||Splunk Secure Gateway||8.2.0 to 8.2.8||8.2.9|
|Splunk Enterprise||9.0||Splunk Secure Gateway||9.0.0 to 9.0.1||9.0.2|
|Splunk Cloud Platform||-||Splunk Secure Gateway||9.0.2203.4 and lower||9.0.2205|
Mitigations and Workarounds
The vulnerability requires access to the Splunk Secure Gateway app. Removing, disabling, or uninstalling the app or restricting access to the app to administrators remediates the vulnerability. For more information on managing apps, see Manage app and add-on objects.
Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature
This detection search provides information on possible exploitation attempts against the Splunk Secure Gateway App Mobile Alerts feature.
Splunk rates the vulnerability as High, 8.8, with a CVSS Vectors of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability lets a remote authenticated user execute arbitrary code on the server. If you removed the Splunk Secure Gateway app or restricted access to the app to administrators, there is no impact and the severity is Informational.
Danylo Dmytriiev (DDV_UA)