Splunk 4.3.5 and 5.0 address three vulnerabilities - November 16th, 2012

Table of Contents

Credit

Description

Splunk versions 4.3.5 and 5.0 address three vulnerabilities:

At the time of this announcement, Splunk is not aware of any cases where this vulnerability has been exploited. Splunk recommends that customers upgrade any instances of Splunk to the latest release as soon as possible.

Splunk also recommends that you apply as many components of the Splunk Hardening Standards as possible to mitigate the risk and impact of exploitation.

Products and Components Affected

Security vulnerabilities addressed by this maintenance release affect the following versions of Splunk running Splunk Web:

Security vulnerabilities addressed by this maintenance release affect the following versions of Splunkd:

Both SPL-50671 and SPL-55127 affect the Splunk Web component of the Splunk server software. Splunk Web refers to the web server used to deliver the Splunk user interface to the client browser.

SPL-55521 affects versions of Splunkd configured to accept splunktcp inputs. splunktcp inputs are not enabled by default.

Upgrades

Splunk recommends that all vulnerable instances of Splunk be updated to the latest release.


Splunk Version Recommendation
4.0 through 4.3.4 Upgrade to the latest release supplied by Splunk.

Splunk releases are cumulative, meaning that releases posted subsequent to those we are posting today will contain these fixes to these vulnerabilities as well as new features and fixes to other bugs and flaws.

Credit

For SPL-55157, Splunk would like to credit Commonwealth Bank of Australia's CBAcert team with the responsible disclosure of this issue.

For SPL-55521, Splunk would like to credit Alexander Klink of n.runs AG with the responsible disclosure of this issue.

Vulnerability Descriptions and Ratings

The following are descriptions and ratings for vulnerabilities that are fixed in the newest maintenance releases. Descriptions and ratings for previous security fixes can be found in previous Product Security Announcements on our Product Security Portal.

SPL numbers are to be used in communication with Splunk to address specific vulnerabilities. If there is no CVE listed with the vulnerability, the CVE will be added as it is posted.

Reflected XSS in SplunkWeb with non-RFC compliant browser (SPL-50671)

Description: A reflected cross-site scripting vulnerability was identified in Splunk Web. An attacker could trick a user into clicking a specially crafted link that would enable the attacker to execute JavaScript on the client. Note that this vulnerability only applies to non-RFC compliant browsers

Versions Affected: Splunk 4.0 - 4.3.4

CVSS Severity (version 2.0):

CVSS Base Score 3.6
CVSS Impact Subscore 4.9
CVSS Exploitability Subscore 3.9

CVSS Version 2 Metrics

  • Access Vector: Network
  • Access Complexity: High
  • Authentication: Single instance
  • Impact Type:
    • Allows partial confidentiality and integrity violation
  • Exploitability: Unproven that exploit exists
  • Remediation Level: Official fix
  • Report Confidence: Confirmed

Mitigation and Remediation:

  • Splunk recommends upgrading to the latest release supplied by Splunk.

Reflected XSS in Splunk Web (SPL-55157)

Description: A reflected cross-site scripting vulnerability was identified in Splunk Web. An attacker could trick a user into clicking a specially crafted link that would enable the attacker to execute JavaScript on the client.

Versions Affected: Splunk 4.2 - 4.3.4

Credit: Splunk would like to credit Commonwealth Bank of Australia's CBAcert team with the responsible disclosure of this issue

CVSS Severity (version 2.0):

CVSS Base Score 5.5
CVSS Impact Subscore 4.9
CVSS Exploitability Subscore 8.0

CVSS Version 2 Metrics

  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Impact Type:
    • Allows partial confidentiality and integrity violation
  • Exploitability: Proof of concept code
  • Remediation Level: Official fix
  • Report Confidence: Confirmed

Mitigation and Remediation:

  • Splunk recommends upgrading to the latest release supplied by Splunk.

Denial of Service in Splunkd (SPL-55521)

Description: A denial of service vulnerability was identified in splunktcp inputs. An attacker could send a specially crafted payload to instances of Splunk configured to accept splunktcp inputs which would cause a denial of service in the Splunkd daemon. splunktcp inputs are not enabled by default.

Versions Affected: Splunk 4.0 - 4.3.4

Credit: Splunk would like to credit Alexander Klink of n.runs AG with the responsible disclosure of this issue.

CVSS Severity (version 2.0):

CVSS Base Score 5.7
CVSS Impact Subscore 6.9
CVSS Exploitability Subscore 5.5

CVSS Version 2 Metrics

  • Access Vector: Adjascent Network
  • Access Complexity: Medium
  • Authentication: None
  • Impact Type:
    • Allows full availability violation
  • Exploitability: Proof of concept code
  • Remediation Level: Official fix
  • Report Confidence: Confirmed

Mitigation and Remediation:

  • Splunk recommends upgrading to the latest release supplied by Splunk.