Splunk Enterprise 6.3.3.4, 6.2.9. 6.1.10, 6.0.11, and 5.0.15 and Splunk Light 6.3.3.4 and 6.2.9 address multiple vulnerabilities

Table of Contents

Description

Splunk Enterprise 6.3.3.4, 6.2.9, 6.1.10, 6.0.11, and 5.0.15 and Splunk Light 6.3.3.4 and 6.2.9 address multiple vulnerabilities. Splunk Enterprise 6.4.0 also addresses all vulnerabilities in this advisory. The inputcsv and outputcsv commands have changed working directories with these upgrades. Please review migration. To get the 6.3.3.4 patch for Splunk Enterprise or Splunk Light, go to this blog post.

At the time of this announcement, Splunk is not aware of any cases where these vulnerabilities have been actively exploited. Previous Product Security Announcements can be found on our Splunk Product Security Portal. Use SPL numbers when referencing issues in communication with Splunk. If there is no Common Vulnerabilities and Exposures (CVE) identifier listed with a vulnerability, it will be added once it is assigned by a CVE Numbering Authority. To standardize the calculation of severity scores for each vulnerability, when appropriate, Splunk uses Common Vulnerability Scoring System version 2 (CVSS v2).

Affected Products and Components

  • Multiple vulnerabilities in OpenSSL including DROWN (CVE-2016-0800) (SPL-110363, SPL-115028, SPL-115027, SPL-115026, SPL-115025)
    • Affected Product Versions: Splunk Enterprise versions 6.3.x before 6.3.3.4, 6.2.x before 6.2.9, 6.1.x before 6.1.10, 6.0.x before 6.0.11, and 5.0.x. Splunk Light versions 6.3.x before 6.3.3.4 and 6.2.x before 6.2.9
    • Affected Components: All Splunk Enterprise components
  • Splunk Web Denial of Service via HTTP Header (SPL-102960, SPL-102961, SPL-102241, SPL-103926)
    • Affected Product Versions: Splunk Enterprise versions 6.2.x before 6.2.7, 6.1.x before 6.1.10, 6.0.x before 6.0.11, 5.0.x before 5.0.15. Splunk Light versions 6.2.x before 6.2.7
    • Affected Components: All Splunk Enterprise components running Splunk Web.
  • Splunk Web Denial of Service via Malformed HTTP Requests (SPL-106804, SPL-106800, SPL-103822, SPL-106803, SPL-106805)
    • Affected Product Versions: Splunk Enterprise versions 6.3.x before 6.3.2, 6.2.x before 6.2.7, 6.1.x before 6.1.10, 6.0.x before 6.0.11, 5.0.x before 5.0.15. Splunk Light versions 6.3.x before 6.3.2, 6.2.x before 6.2.7
    • Affected Components: All Splunk Enterprise components running Splunk Web.
  • Direct Object Access Vulnerability in Splunk Search (SPL-107199, SPL-107197, SPL-107196, SPL-107123, SPL-116567)
    • Affected Product Versions: Splunk Enterprise versions 6.3.x before 6.3.3.4, 6.2.x before 6.2.9, 6.1.x before 6.1.10, 6.0.x before 6.0.11, 5.0.x before 5.0.15. Splunk Light versions 6.3.x before 6.3.3.4, 6.2.x before 6.2.9
    • Affected Components: All Splunk Enterprise components running Splunk Web.
  • User TLS protocol selection not honored (SPL-108213, SPL-115292)
    • Affected Product Versions: Splunk Enterprise versions 6.0.x before 6.0.11, 5.0.x before 5.0.15
    • Affected Components: All Splunk Enterprise components.
  • Path traversal vulnerability in collect command (SPL-112516, SPL-112517, SPL-112518, SPL-112519, SPL-114842)
    • Affected Product Versions: Splunk Enterprise versions 6.3.x before 6.3.3.4, 6.2.x before 6.2.9, 6.1.x before 6.1.10, 6.0.x before 6.0.11, 5.0.x before 5.0.15. Splunk Light versions 6.3.x before 6.3.3.4, 6.2.x before 6.2.9
    • Affected Components: Indexers, Heavy Forwarders, Search Heads
  • Path traversal vulnerability in inputcsv and outputcsv commands (SPL-115074, SPL-115075, SPL-115076, SPL-115077, SPL-115217)
    • Affected Product Versions: Splunk Enterprise versions 6.3.x before 6.3.3.4, 6.2.x before 6.2.9, 6.1.x before 6.1.10, 6.0.x before 6.0.11, 5.0.x before 5.0.15. Splunk Light versions 6.3.x before 6.3.3.4, 6.2.x before 6.2.9
    • Affected Components: Indexers, Heavy Forwarders, Search Heads
  • Type confusion vulnerability in libxslt (CVE-2015-7995) (SPL-113082, SPL-113083, SPL-113084, SPL-113085, SPL-116566)
    • Affected Product Versions: Splunk Enterprise versions 6.3.x before 6.3.3.4, 6.2.x before 6.2.9, 6.1.x before 6.1.10, 6.0.x before 6.0.11, 5.0.x before 5.0.15. Splunk Light versions 6.3.x before 6.3.3.4, 6.2.x before 6.2.9
    • Affected Components: All Splunk Enterprise components.

    Mitigation and Upgrades

    To mitigate these issues, Splunk recommends upgrading to the latest release and applying as many of the Hardening Standards from the Securing Splunk documentation as are relevant to your environment. Splunk Enterprise and Splunk Light releases are cumulative, meaning that future releases will contain fixes to these vulnerabilities, new features and other bug fixes.

    Vulnerability Descriptions and Ratings

    Multiple vulnerabilities in OpenSSL including DROWN (CVE-2016-0800) (SPL-110363, SPL-115028, SPL-115027, SPL-115026, SPL-115025)

    Description: Splunk Enterprise versions 6.3.x before 6.3.3.4, 6.2.x before 6.2.9, 6.1.x before 6.1.10, 6.0.x before 6.0.11, and 5.0.x. Splunk Light versions 6.3.x before 6.3.3.4 and 6.2.x before 6.2.9 is affected by multiple vulnerabilities in OpenSSL (1, 2, 3). The vulnerabilities covered by this advisory include DROWN attack vulnerabilities. By default, Splunk Enterprise and Splunk Light disable SSLv2 protocol for Splunk Web, splunkd, and indexing via the sslVersions keyword.

    Splunk Enterprise and Splunk Light 6.3.3.4 has been updated to use OpenSSL 1.0.2g. Splunk Enterprise and Splunk Light 6.2.9, Splunk Enterprise 6.1.10, and Splunk Enterprise 6.0.11 have been updated to use OpenSSL 1.0.1s. Splunk Enterprise 5.0.15 has been updated to use OpenSSL 0.9.8zh.

    Notes: Splunk Enterprise 5.0.x will not be patched for OpenSSL issues (2,3) including DROWN attack vulnerabilities. Splunk recommends updating to the latest version of Splunk Enterprise.

    Splunk Web Denial of Service via HTTP Header (SPL-102960, SPL-102961, SPL-102241, SPL-103926)

    Description: Splunk Enterprise versions 6.2.x before 6.2.7, 6.1.x before 6.1.10, 6.0.x before 6.0.11, 5.0.x before 5.0.15. Splunk Light versions 6.2.x before 6.2.7 is affected by a denial of service condition when Splunk Web receives a HTTP request with a specific header.

    CVSS Severity (version 2.0):

    CVSS Base Score5.0
    CVSS Impact Subscore2.9
    CVSS Exploitability Subscore10.0
    Overall CVSS Score5.0

    Splunk Web Denial of Service via Malformed HTTP Requests (SPL-106804, SPL-106800, SPL-103822, SPL-106803, SPL-106805)

    Description: Splunk Enterprise versions 6.3.x before 6.3.2, 6.2.x before 6.2.7, 6.1.x before 6.1.10, 6.0.x before 6.0.11, 5.0.x before 5.0.15. Splunk Light versions 6.3.x before 6.3.2, 6.2.x before 6.2.7 is affected by a denial of service condition when Splunk Web receives a specially crafted HTTP request.

    CVSS Severity (version 2.0):

    CVSS Base Score5.0
    CVSS Impact Subscore2.9
    CVSS Exploitability Subscore10.0
    Overall CVSS Score5.0

    Direct Object Access Vulnerability in Splunk Search (SPL-107199, SPL-107197, SPL-107196, SPL-107123, SPL-116567)

    Description: Splunk Enterprise versions 6.3.x before 6.3.3.4, 6.2.x before 6.2.9, 6.1.x before 6.1.10, 6.0.x before 6.0.11, 5.0.x before 5.0.15. Splunk Light versions 6.3.x before 6.3.3.4, 6.2.x before 6.2.9 is affected by a direct object access vulnerability. The vulnerability permits an authenticated user to access search logs without authorization.

    CVSS Severity (version 2.0):

    CVSS Base Score4.0
    CVSS Impact Subscore2.9
    CVSS Exploitability Subscore8.0
    Overall CVSS Score4.0

    User TLS protocol selection not honored (SPL-108213, SPL-115292)

    Description: Splunk Enterprise versions 6.0.x before 6.0.11, 5.0.x before 5.0.15 failed to honor the sslVersions keyword to control TLS protocol versions. The issue prevents customers from enforcing TLS protocol policies.

    CVSS Severity (version 2.0):

    CVSS Base Score4.3
    CVSS Impact Subscore2.9
    CVSS Exploitability Subscore8.6
    Overall CVSS Score4.3

    Path traversal vulnerability in collect command (SPL-112516, SPL-112517, SPL-112518, SPL-112519, SPL-114842)

    Description: Splunk Enterprise versions 6.3.x before 6.3.3.4, 6.2.x before 6.2.9, 6.1.x before 6.1.10, 6.0.x before 6.0.11, 5.0.x before 5.0.15. Splunk Light versions 6.3.x before 6.3.3.4, 6.2.x before 6.2.9 is affected by a path traversal vulnerability in the collect command. This vulnerability can permit an authenticated user to perform arbitrary code execution attacks as the user running the splunkd process.

    CVSS Severity (version 2.0):

    CVSS Base Score8.7
    CVSS Impact Subscore9.5
    CVSS Exploitability Subscore8.0
    Overall CVSS Score8.7

    Path traversal vulnerability in inputcsv and outputcsv commands (SPL-115074, SPL-115075, SPL-115076, SPL-115077, SPL-115217)

    Description: Splunk Enterprise versions 6.3.x before 6.3.3.4, 6.2.x before 6.2.9, 6.1.x before 6.1.10, 6.0.x before 6.0.11, 5.0.x before 5.0.15. Splunk Light versions 6.3.x before 6.3.3.4, 6.2.x before 6.2.9 is affected by a path traversal vulnerability in the collect command. This vulnerability can permit an authenticated user to access and overwrite arbitrary paths. As part of updating, please review the following release notes regarding migration.

    Credits: Splunk would like to thank Franz G. Jahn SySS GmbH for reporting this issue.

    CVSS Severity (version 2.0):

    CVSS Base Score6.5
    CVSS Impact Subscore6.4
    CVSS Exploitability Subscore8.0
    Overall CVSS Score6.5

    Type confusion vulnerability in libxslt (CVE-2015-7995) (SPL-113082, SPL-113083, SPL-113084, SPL-113085, SPL-116566)

    Description: Splunk Enterprise versions 6.3.x before 6.3.3.4, 6.2.x before 6.2.9, 6.1.x before 6.1.10, 6.0.x before 6.0.11, 5.0.x before 5.0.15. Splunk Light versions 6.3.x before 6.3.3.4, 6.2.x before 6.2.9 is affected by a type confusion vulnerability (CVE-2015-7995). The vulnerability could permit an attacker to cause a denial of service by processing crafted XML files.

    CVSS Severity (version 2.0):

    CVSS Base Score5.0
    CVSS Impact Subscore2.9
    CVSS Exploitability Subscore10.0
    Overall CVSS Score5.0