Skip to main content

SPLUNK / PRODUCT SECURITY / SVD-2022-1112

Indexing blockage via malformed data sent through S2S or HEC protocols in Splunk Enterprise

Advisory ID: SVD-2022-1112

Published: 2022-11-02

CVSSv3.1 Score: 7.5High

CWE: CWE-400

CVE ID: CVE-2022-43572

Last Update: 2022-11-02

CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Bug ID: SPL-224974

Description

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, sending a malformed file through the Splunk-to-Splunk (S2S) or HTTP Event Collector (HEC) protocols to an indexer results in a blockage or denial-of-service preventing further indexing.

Solution

For Splunk Enterprise, upgrade versions to 8.1.12, 8.2.9, 9.0.2, or higher.

For Splunk Cloud Platform versions below 9.0.2211, Splunk is actively patching and monitoring the Splunk Cloud instances. To request an immediate upgrade, determine which version of Splunk Cloud Platform you're running, then create a new support case.

Product Status

ProductVersionComponentAffected VersionFixed Version
Splunk Enterprise8.1Indexing8.1.11 and lower8.1.12
Splunk Enterprise8.2Indexing8.2.0 to 8.2.88.2.9
Splunk Enterprise9.0Indexing9.0.0 to 9.0.19.0.2
Splunk Cloud Platform-Indexing9.0.2209 and lower9.0.2211

Mitigations and Workarounds

Configure Splunk indexing and forwarding to use TLS certificates partially mitigates the vulnerability and increases the complexity of the vulnerability, which reduces the severity to Medium.

Detections

None

Severity 

Splunk rates the vulnerability as High, 7.5, with a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 

If you have Configured Splunk indexing and forwarding to use TLS certificates, the vulnerability requires compromise of a HEC token, a pass4symmkey, a universal forwarder or client private certificate (when enabled), or a certificate authority certificate chain. These requirements increase the complexity of the attack and prevent an attacker from exploiting the vulnerability without putting in a meaningful amount of preparation reducing the severity to Medium, 5.9 with a CVSS Vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H.

Questions? Submit your question to Splunk Support.