Splunk Releases Security Updates

Security updates address vulnerabilities affecting Splunk Enterprise and Splunk Cloud

Threat ID:: CC-4471
Threat Severity:: Medium
Published:: 28 March 2024 11:12 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Security updates address vulnerabilities affecting Splunk Enterprise and Splunk Cloud

Affected platforms

The following platforms are known to be affected:

Versions: all prior to 9.2.1, 9.1.4, and 9.0.9

Splunk Enterprise

Versions: all prior to 9.1.2312.100

Splunk Cloud Platform

Threat details

Introduction

Splunk has released two security advisories that address two high severity vulnerabilities within Splunk Enterprise and Splunk Cloud. Splunk is a data analysis platform used for business and web analytics, application management, compliance, and security.

The first high-severity vulnerability, known as CVE-2024-29945 with a CVSSv3 score of 7.2 , could allow Splunk Enterprise software (in debug mode or the JsonWebToken component logs activity at the DEBUG logging level) to expose authentication tokens during the token validation process.

The second high-severity vulnerability, known as CVE-2024-29946 with a CVSSv3 score of 8.1, could allow attackers to bypass SPL safeguards for risky commands in the Hub.

Remediation advice

Affected organisations are encouraged to review the following Splunk Security Advisories for more information.

Remediation steps

Type	Step
Patch	Splunk Authentication Token Exposure in Debug Log in Splunk Enterprise \| SVD-2024-0301 https://advisory.splunk.com//advisories/SVD-2024-0301
Patch	Risky command safeguards bypass in Dashboard Examples Hub \| SVD-2024-0302 https://advisory.splunk.com//advisories/SVD-2024-0302

Definitive source of threat updates

https://advisory.splunk.com/advisories

CVE Vulnerabilities

Status Published

CVE-2024-29945

In Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, the software potentially exposes authentication tokens during the token validation process. This exposure happens when either Splunk Enterprise runs in debug mode or the JsonWebToken component has been configured to log its activity at the DEBUG logging level.

Status Published

CVE-2024-29946

In Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, the Dashboard Examples Hub in the Splunk Dashboard Studio app lacks protections for risky SPL commands. This could let attackers bypass SPL safeguards for risky commands in the Hub. The vulnerability would require the attacker to phish the victim by tricking them into initiating a request within their browser.

Last edited: 28 March 2024 11:18 am