Skip to main content

SPLUNK / PRODUCT SECURITY / SVD-2022-1111

Remote Code Execution through dashboard PDF generation component in Splunk Enterprise

Advisory ID: SVD-2022-1111

Published: 2022-11-02

CVSSv3.1 Score: 8.8, High

CWE: CWE-94

CVE ID: CVE-2022-43571

Last Update: 2022-11-02

CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Bug ID: SPL-228720

Description

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can execute arbitrary code through the dashboard PDF generation component.

Solution

For Splunk Enterprise, upgrade versions to 8.1.12, 8.2.9, 9.0.2, or higher.

For Splunk Cloud Platform versions below 9.0.2209, Splunk is actively patching and monitoring the Splunk Cloud instances. To request an immediate upgrade, determine which version of Splunk Cloud Platform you're running, then create a new support case.

Product Status

ProductVersionComponentAffected VersionFixed Version
Splunk Enterprise8.1-8.1.11 and lower8.1.12
Splunk Enterprise8.2-
8.2.0 to 8.2.88.2.9
Splunk Enterprise9.0-
9.0.0 to 9.0.19.0.2
Splunk Cloud Platform--
9.0.2208 and lower9.0.2209

Mitigations and Workarounds

None

Detections

Splunk Code Injection via custom dashboard leading to RCE

This detection search provides information about a vulnerability in Splunk Enterprise versions below 8.1.12, 8.2.9, 9.0.2209 and  9.0.2  where an authenticated user can execute arbitrary code remotely through the dashboard PDF generation component.

Severity 

Splunk rates the vulnerability as High, 8.8, with a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability requires user access to create a dashboard.

Acknowledgments

Danylo Dmytriiev (DDV_UA)

Questions? Submit your question to Splunk Support.