Splunk 4.1.7 addresses five security vulnerabilities

Advisory ID: SP-CAAAFW6

CVE ID: -

Published: 2011-02-10

Last Update: 2011-2-10

CVSSv3.1 Score: -, 

CVSSv3.1 Vector: -

CWE: -

Bug ID: SPL-34355, SPL-35709, SPL-35710, SPL-37226, SPL-37227

Description

Splunk Enterprise 6.3.5 and Splunk Light 6.3.5 address two vulnerabilities.

  • Reflective XSS with Splunk Web and IE 6 (SPL-34355)
  • Reflective XSS with Splunk Web Modules (SPL-35709)
  • CRLF Injection with Splunk Web (SPL-35710)
  • Reflective XSS with Splunk Web Manager (SPL-37226) *Reflective XSS with Splunk Web Manager (SPL-37227)

For SPL-34355, please note that only users accessing Splunk Web with Internet Explorer 6 are vulnerable to attacks exploiting this vulnerability.

At the time of this announcement, Splunk is not aware of any cases where any of these vulnerabilities have been exploited. Splunk recommends that customers upgrade any instances of Splunk running Splunk Web, such as index and search servers, to the latest maintenance release as soon as possible.

Splunk also recommends that you apply as many components of the Splunk Hardening Standards as possible to mitigate the risk and impact of exploitation.

Products and Components Affected

Security vulnerabilities addressed by this maintenance release affect the following versions of Splunk running the Splunk Web component:

  • Splunk 4.0 through 4.1.6

Security vulnerabilities addressed by this maintenance release affect the Splunk Web component of the Splunk server software. Splunk Web refers to the web server used to deliver the Splunk user interface to the client browser. By default, Splunk light forwarders disable Splunk Web and are not affected.

Upgrades

Splunk recommends that all vulnerable instances of Splunk running the Splunk Web component be updated to the latest maintenance release.

Splunk Version Recommendation

4.0 to 4.1.6 Upgrade to the latest maintenance release

Splunk releases are cumulative, meaning that releases posted subsequent to those we are posting today will contain these fixes to these vulnerabilities as well as new features and fixes to other bugs and flaws.

Vulnerability Descriptions and Ratings

The following are descriptions and ratings for vulnerabilities that are fixed in the newest maintenance releases. Descriptions and ratings for previous security fixes can be found in previous Product Security Announcements on our Product Security Portal.

SPL numbers are to be used in communication with Splunk to address specific vulnerabilities. If there is no CVE listed with the vulnerability, the CVE will be added as it is posted.

Reflective XSS with Splunk Web and IE 6 (SPL-34355)

Description: Splunk Web is vulnerable to a reflective XSS with Internet Explorer 6. The vulnerability exists only in Internet Explorer 6 due to the browser’s content sniffing functionality, causing the browser to ignore the content-type specified by Splunk Web in responses to client requests. An attacker could trick a user into clicking a specially crafted link that could disclose a valid Splunk session key to the attacker.

Versions Affected: Splunk 4.0.0 - 4.1.6

CVSS Severity (version 2.0):

CVSS Base Score 4.6

CVSS Impact Subscore 6.4

CVSS Exploitability Subscore 3.9

CVSS Version 2 Metrics

  • Access Vector: Network
  • Access Complexity: High
  • Authentication: Single instance
  • Impact Type:
    • Allows partial confidentiality, integrity and availability violation
  • Exploitability: Proof of concept code
  • Remediation Level: Official fix
  • Report Confidence: Confirmed

    Mitigation and Remediation:

  • Splunk recommends upgrading to the latest maintenance release supplied by Splunk.

Reflective XSS with Splunk Web Modules (SPL-35709)

Description: Several Splunk Web Modules endpoints are vulnerable to reflective XSS. An attacker could trick a user into clicking a specially crafted link that could disclose a valid Splunk session key to the attacker.

Versions Affected: Splunk 4.0.0 - 4.1.6

CVSS Severity (version 2.0):

CVSS Base Score 6.0

CVSS Impact Subscore 6.4

CVSS Exploitability Subscore 6.8

CVSS Version 2 Metrics

  • Access Vector: Network
  • Access Complexity: High
  • Authentication: Single instance
  • Impact Type:
    • Allows partial confidentiality, integrity and availability violation
  • Exploitability: Proof of concept code
  • Remediation Level: Official fix
  • Report Confidence: Confirmed

    Mitigation and Remediation:

  • Splunk recommends upgrading to the latest maintenance release supplied by Splunk.

CRLF Injection with Splunk Web (SPL-35710)

Description: A Splunk Web endpoint is vulnerable to CRLF Injection. An attacker could trick a user into clicking a specially crafted link that could disclose a valid Splunk session key to the attacker.

Versions Affected: Splunk 4.0.0 - 4.1.6

CVSS Severity (version 2.0):

CVSS Base Score 4.6

CVSS Impact Subscore 6.4

CVSS Exploitability Subscore 3.9

CVSS Version 2 Metrics

  • Access Vector: Network
  • Access Complexity: High
  • Authentication: Single instance
  • Impact Type:
    • Allows partial confidentiality, integrity and availability violation
  • Exploitability: Proof of concept code
  • Remediation Level: Official fix
  • Report Confidence: Confirmed

    Mitigation and Remediation:

  • Splunk recommends upgrading to the latest maintenance release supplied by Splunk.

Reflective XSS with Splunk Web Manager (SPL-37226)

Description: Splunk Web Manager is vulnerable to Reflective XSS due to improper HTML escaping of user provided data. An attacker could trick a user into clicking a specially crafted link that could disclose a valid Splunk session key to the attacker.

Versions Affected: Splunk 4.0.0 - 4.1.6

CVSS Severity (version 2.0):

CVSS Base Score 6

CVSS Impact Subscore 6.4

CVSS Exploitability Subscore 6.8

CVSS Version 2 Metrics

  • Access Vector: Network
  • Access Complexity: High
  • Authentication: Single instance
  • Impact Type:
  • Allows partial confidentiality, integrity and availability violation
  • Exploitability: Proof of concept code
  • Remediation Level: Official fix
  • Report Confidence: Confirmed

    Mitigation and Remediation:

  • Splunk recommends upgrading to the latest maintenance release supplied by Splunk.

    Credit:

  • Splunk would like to credit Rajiv Kumar from Symantec for reporting this vulnerability

Reflective XSS with Splunk Web Manager (SPL-37227)

Description: Splunk Web Manager is vulnerable to Reflective XSS due to improper HTML escaping of user provided data. An attacker could trick a user into visiting a malicious website that could disclose a valid Splunk session key to the attacker.

Versions Affected: Splunk 4.0.0 - 4.1.6

CVSS Severity (version 2.0):

CVSS Base Score 4.9

CVSS Impact Subscore 6.4

CVSS Exploitability Subscore 3.9

CVSS Version 2 Metrics

  • Access Vector: Network
  • Access Complexity: High
  • Authentication: Single instance
  • Impact Type:
  • Allows partial confidentiality, integrity and availability violation
  • Exploitability: Proof of concept code
  • Remediation Level: Official fix
  • Report Confidence: Confirmed

    Mitigation and Remediation:

  • Splunk recommends upgrading to the latest maintenance release supplied by Splunk.

    Credit:

  • Splunk would like to credit Rajiv Kumar from Symantec for reporting this vulnerability

    Document History

  • 2011-February-10: Rev 1. Initial Release