Splunk 5.0.3 addresses multiple vulnerabilities

Description

Splunk version 5.0.3 addresses the following vulnerabilities:

• Reflected XSS in Splunk Web (SPL-59895, CVE-2012-6447)
• Unquoted Service Path in Universal Forwarder on Windows (SPL-60250, CVE-2013-6773)
• Plaintext Recovery Attack and DoS in OpenSSL 0.9.8x (SPL-61546, CVE-2013-0169, CVE-2013-0166)

At the time of this announcement, Splunk is not aware of any cases where these vulnerabilities have been exploited. Previous Product Security Announcements can be found on our Splunk Product Security Portal. SPL numbers are to be used in communication with Splunk to address specifics. If there is no CVE Identifier listed with the vulnerability, it will be added once it is assigned by a CVE Numbering Authority. To standardize the calculation of severity scores for each vulnerability, when appropriate, Splunk uses Common Vulnerability Scoring System version 2.

Affected Products and Components

Security vulnerability addressed by this maintenance release affect the following versions and components:

• SPL-59895 : Splunk 5.0.0 - 5.0.2
• SPL-60250 : Splunk Universal Forwarder 5.0.0 - 5.0.2 for Windows
• SPL-61546: Splunk 5.0.0 - 5.0.2

Mitigation and Upgrades

To mitigate these issues, Splunk recommends upgrading to the latest release and applying as many of the Hardening Standards from Securing Splunk documentation as relevant to your environment. Splunk releases are cumulative, meaning that future releases will contain fixes to these vulnerabilities, new features and other bug fixes.

Credit

Splunk would like to thank and credit the security teams of the reporting parties with the Responsible Disclosure of these issues. Contact us to add names or details.

Vulnerability Descriptions and Ratings

Reflected XSS in Splunk Web (SPL-59895, CVE-2012-6447)

Description: A reflected cross-site scripting vulnerability was identified in Splunk Web. While this does not have direct impact on the Splunk server, an attacker could trick an authenticated Splunk Web user into clicking a maliciously crafted link, enabling the attacker to execute arbitrary script code in the client’s browser.

Severity rating: When appropriate, Splunk uses Common Vulnerability Scoring System version 2 to standardize calculation of severity scores for each vulnerability.

CVSS Severity (version 2.0):

CVSS Base Score 2.9

CVSS Impact Subscore 2.9

CVSS Exploitability Subscore 5.5

Overall CVSS Score 3.5

Credit: Splunk would like to credit and thank the Groupon Security team for Responsible Disclosure of this vulnerability.

Unquoted Service Path in Windows for Universal Forwarder (SPL-60250, CVE-2013-6773)

Description: Universal Forwarder installs on Windows without properly quoting the service path, allowing local attacker to escalate privileges by inserting a malicious executable in the path of the affected service.

CVSS Severity (version 2.0):

CVSS Base Score 1.5

CVSS Impact Subscore 2.9

CVSS Exploitability Subscore 2.7

Overall CVSS Score 1.6

Plaintext Recovery Attack and DoS in OpenSSL 0.9.8.x (SPL-61546, CVE-2013-0169, CVE-2013-0166)

Description: Multiple issues have been identified in the version of OpenSSL included in Splunk 5.x, such as SSL, TLS and DTLS Plaintext Recovery Attack (CVE-2013-0169) and OCSP invalid key DoS issue (CVE-2013-0166). These issues are patched in the updated version of OpenSSL 0.9.8y included in Splunk 5.0.3

Severity rating: When appropriate, Splunk uses Common Vulnerability Scoring System version 2 to standardize calculation of severity scores for each vulnerability.

CVSS Severity (version 2.0):

Overall CVSS Score for CVE-2013-0166 5

Overall CVSS Score for CVE-2013-0169 2.9

Document History

• 2013-May-28: Rev 1. Initial Release