Splunk Software Patch
Directory traversal with uploads in Splunk Web (SPL-31194)
This software patch is provided to address SPL-31194, Directory traversal with uploads in Splunk Web. In versions of Splunk 4.0.x prior to 4.0.11 and versions of Splunk 4.1.x prior to 4.1.2, Splunk Web is vulnerable to directory traversal attacks without authentication, which could result in an attacker being able to disclose sensitive information from the Splunk server.
Splunk strongly recommends that all instances of Splunk running the Splunk Web component be updated immediately to the newest maintenance release as the recommended course of resolution for this and other related incidents discussed in our May 3rd Security Announcement. If, however, you are running Splunk in an environment where you are unable to immediately upgrade, you will need to apply this patch as a secondary approach.This patch will only mitigate the most critical vulnerability issued in the May 3rd Security Announcement, Directory traversal with uploads in Splunk Web (SPL-31194).
Downloading and Installing the patch
These instructions are for both the 4.0.x and 4.1.x versions of Splunk
- Download the patch from Splunk onto the server running Splunk Web.
You do not need to stop your instance of Splunk before installing the patch. Issue the following command as the user you installed Splunk as:
$SPLUNK_HOME/bin/splunk cmd python splunk-patch-2010-001.bin
For example, if you're running a *nix system, this woulde be:
/opt/splunk/bin/splunk cmd python /tmp/splunk-patch-2010-001.bin
If you're on a Windows system, this would be:
C:\Program Files\splunk\bin\splunk cmd python D:\splunk-patch-2010-001.bin
Remember, the $SPLUNK_HOME may be different on your install.
Restart the Splunk Web component after it has been installed for the changes to take effect:
$SPLUNK_HOME/bin/splunk restart splunkweb