Splunk Releases Security Updates for Multiple Products

Security updates address vulnerabilities in Splunk Enterprise, Splunk Cloud, Splunk Universal Forwarders, Splunk App for Stream, and Splunk App for Lookup File Editing

Threat ID:: CC-4329
Threat Severity:: Information only
Published:: 6 June 2023 3:25 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Security updates address vulnerabilities in Splunk Enterprise, Splunk Cloud, Splunk Universal Forwarders, Splunk App for Stream, and Splunk App for Lookup File Editing

Affected platforms

The following platforms are known to be affected:

Versions: 9.0.4 and earlier, 8.2.10 and earlier, 8.1.13 and earlier

Splunk Enterprise

Versions: 9.0.2303 and earlier

Splunk Cloud Platform

Versions: 9.0.4 and earlier, 8.2.10 and earlier, and 8.1.13 and earlier

Splunk Universal Forwarder

Versions: 8.1 and earlier

Splunk App for Stream

Versions: 4.0 and earlier

Splunk App for Lookup File Editing

Threat details

Introduction

Splunk has released twelve security advisories that address five high, six medium, and one low impact vulnerabilities within Splunk Enterprise, Splunk Cloud, Splunk Universal Forwarders, Splunk App for Stream, and Splunk App for Lookup File Editing. The high-severity vulnerabilities include vulnerabilities that could be exploited by an attacker to cause a denial-of-service condition, path traversal, or privilege escalation on a vulnerable system.

In addition to these security advisories, Splunk has also released Third-Party Bulletins that affect Splunk Cloud, Splunk Universal Forwarders, and Splunk Enterprise.

Remediation advice

Affected organisations are encouraged to review the following Splunk Security Advisories for more information.

Remediation steps

Type	Step
Patch	Role-based Access Control (RBAC) Bypass on '/services/indexing/preview' REST Endpoint Can Overwrite Search \| SVD-2023-0612 https://advisory.splunk.com/advisories/SVD-2023-0612
Patch	Denial of Service via the 'dump' SPL command \| SVD-2023-0611 https://advisory.splunk.com/advisories/SVD-2023-0611
Patch	Self Cross-Site Scripting (XSS) on Splunk App for Lookup File Editing \| SVD-2023-0610 https://advisory.splunk.com/advisories/SVD-2023-0610
Patch	Information Disclosure via the ‘copyresults’ SPL Command \| SVD-2023-0609 https://advisory.splunk.com/advisories/SVD-2023-0609
Patch	Path Traversal in Splunk App for Lookup File Editing \| SVD-2023-0608 https://advisory.splunk.com/advisories/SVD-2023-0608
Patch	Local Privilege Escalation via the ‘streamfwd’ program in Splunk App for Stream \| SVD-2023-0607 https://advisory.splunk.com/advisories/SVD-2023-0607
Patch	Unauthenticated Log Injection on '/var/log/splunk/web_service.log' Log File \| SVD-2023-0606 https://advisory.splunk.com/advisories/SVD-2023-0606
Patch	Persistent Cross-Site Scripting (XSS) through a URL Validation Bypass within a Dashboard View \| SVD-2023-0605 https://advisory.splunk.com/advisories/SVD-2023-0605
Patch	Low-privileged User can View Hashed Default Splunk Password \| SVD-2023-0604 https://advisory.splunk.com/advisories/SVD-2023-0604
Patch	HTTP Response Splitting via the ‘rest’ SPL Command \| SVD-2023-0603 https://advisory.splunk.com/advisories/SVD-2023-0603
Patch	‘edit_user’ Capability Privilege Escalation \| SVD-2023-0602 https://advisory.splunk.com/advisories/SVD-2023-0602
Patch	Denial Of Service due to Untrusted XML Tag in XML Parser within SAML Authentication \| SVD-2023-0601 https://advisory.splunk.com/advisories/SVD-2023-0601
Patch	Third-Party Bulletins https://advisory.splunk.com/?301=/en_us/product-security.html

Definitive source of threat updates

https://advisory.splunk.com/advisories

CVE Vulnerabilities

Status Published

CVE-2023-32717

On Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and in Splunk Cloud Platform versions below 9.0.2303.100, an unauthorized user can access the {{/services/indexing/preview}} REST endpoint to overwrite search results if they know the search ID (SID) of an existing search job.

Status Published

CVE-2023-32716

In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform versions below 9.0.2303.100, an attacker can exploit a vulnerability in the {{dump}} SPL command to cause a denial of service by crashing the Splunk daemon.

Status Published

CVE-2023-32715

In the Splunk App for Lookup File Editing versions below 4.0.1, a user can insert potentially malicious JavaScript code into the app, which causes that code to run on the user’s machine. The app itself does not contain the potentially malicious JavaScript code. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser, and requires additional user interaction to trigger. The attacker cannot exploit the vulnerability at will.

Status Published

CVE-2023-32714

In the Splunk App for Lookup File Editing versions below 4.0.1, a low-privileged user can, with a specially crafted web request, trigger a path traversal exploit that can then be used to read and write to restricted areas of the Splunk installation directory.

Status Published

CVE-2023-32713

In Splunk App for Stream versions below 8.1.1, a low-privileged user could use a vulnerability in the streamfwd process within the Splunk App for Stream to escalate their privileges on the machine that runs the Splunk Enterprise instance, up to and including the root user.

Status Published

CVE-2023-32712

In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an attacker can use a specially crafted web URL in their browser to cause log file poisoning. The attack requires the attacker to have secure shell (SSH) access to the instance and use a terminal program that supports a certain feature set to execute the attack successfully.

Status Published

CVE-2023-32711

In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a Splunk dashboard view lets a low-privileged user exploit a vulnerability in the Bootstrap web framework (CVE-2019-8331) and build a stored cross-site scripting (XSS) payload.

Status Published

CVE-2023-32710

In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and in Splunk Cloud Platform versions below 9.0.2303.100, a low-privileged user can perform an unauthorized transfer of data from a search using the ‘copyresults’ command if they know the search ID (SID) of a search job that has recently run.

Status Published

CVE-2023-32709

In Splunk Enterprise versions below 9.0.5, 8.2.11. and 8.1.14, and Splunk Cloud Platform versions below 9.0.2303.100, a low-privileged user who holds the ‘user’ role can see the hashed version of the initial user name and password for the Splunk instance by using the ‘rest’ SPL command against the ‘conf-user-seed’ REST endpoint.

Status Published

CVE-2023-32708

In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform versions below 9.0.2303.100, a low-privileged user can trigger an HTTP response splitting vulnerability with the ‘rest’ SPL command that lets them potentially access other REST endpoints in the system arbitrarily.

Status Published

CVE-2023-32707

In versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform below version 9.0.2303.100, a low-privileged user who holds a role that has the ‘edit_user’ capability assigned to it can escalate their privileges to that of the admin user by providing specially crafted web requests.

Status Published

CVE-2023-32706

On Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an unauthenticated attacker can send specially-crafted messages to the XML parser within SAML authentication to cause a denial of service in the Splunk daemon.

Last edited: 6 June 2023 3:25 pm