Advisory ID: SVD-2022-1112
CVSSv3.1 Score: 7.5, High
CVE ID: CVE-2022-43572
Last Update: 2022-11-02
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Bug ID: SPL-224974
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, sending a malformed file through the Splunk-to-Splunk (S2S) or HTTP Event Collector (HEC) protocols to an indexer results in a blockage or denial-of-service preventing further indexing.
For Splunk Enterprise, upgrade versions to 8.1.12, 8.2.9, 9.0.2, or higher.
For Splunk Cloud Platform versions below 9.0.2211, Splunk is actively patching and monitoring the Splunk Cloud instances. To request an immediate upgrade, determine which version of Splunk Cloud Platform you're running, then create a new support case.
|Product||Version||Component||Affected Version||Fixed Version|
|Splunk Enterprise||8.1||Indexing||8.1.11 and lower||8.1.12|
|Splunk Enterprise||8.2||Indexing||8.2.0 to 8.2.8||8.2.9|
|Splunk Enterprise||9.0||Indexing||9.0.0 to 9.0.1||9.0.2|
|Splunk Cloud Platform||-||Indexing||9.0.2209 and lower||9.0.2211|
Mitigations and Workarounds
Configure Splunk indexing and forwarding to use TLS certificates partially mitigates the vulnerability and increases the complexity of the vulnerability, which reduces the severity to Medium.
Splunk rates the vulnerability as High, 7.5, with a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
If you have Configured Splunk indexing and forwarding to use TLS certificates, the vulnerability requires compromise of a HEC token, a pass4symmkey, a universal forwarder or client private certificate (when enabled), or a certificate authority certificate chain. These requirements increase the complexity of the attack and prevent an attacker from exploiting the vulnerability without putting in a meaningful amount of preparation reducing the severity to Medium, 5.9 with a CVSS Vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H.