Splunk, a leading provider of data analytics and security solutions, recently released security advisories addressing potential vulnerabilities related to Splunk Enterprise. These advisories highlight the importance of staying vigilant and proactive when it comes to cybersecurity.
Specifically, the advisories highlight six high severity vulnerabilities and eight medium severity vulnerabilities related to Splunk Web, which is often configured in an organization's environment. These vulnerabilities could potentially allow an attacker to execute arbitrary code or obtain sensitive information, including credentials or system configuration details.
To address these vulnerabilities, organizations that have configured Splunk Web in their environment are strongly encouraged to upgrade to version 9.0.4 of Splunk Enterprise. This version includes a patch that specifically addresses the vulnerabilities related to Splunk Web.
For organizations that use Splunk Cloud Platform, it's important to note that Splunk Support will handle the necessary updates to address these vulnerabilities.
It's crucial for organizations to take proactive measures to ensure the security of their systems, including implementing strong access controls, regularly monitoring system logs for suspicious activity, and performing regular vulnerability assessments and penetration testing.
The Splunk security advisories provide valuable information about potential vulnerabilities and steps that organizations can take to mitigate risk. By staying informed about potential threats and taking proactive measures to address them, organizations can better protect their sensitive data and reduce the risk of a cyber attack.
For reference, below is the list of high severity and medium severity vulnerabilities related to Splunk Web published by Splunk
| SVD-2023 | CVE | Description | Component | Affected Version | Fixed Version | Action to be Taken | Severity |
| 0202 | 2023-22932 | Persistent Cross-Site Scripting through a Base64-encoded Image in a View in Splunk Enterprise | Persistent Cross-Site Scripting through a Base64-encoded Image in a View in Splunk Enterprise |
Splunk Enterprise: 9.0.0 to 9.0.3 Splunk Cloud: 9.0.2209 and lower |
Splunk Enterprise: 9.0.4 Splunk Cloud: 9.0.2209.3 |
Splunk Enterprise: Upgrade to 9.0.4 or higher Splunk Support will upgrade splunk Cloud Instances |
High |
| 0204 | 2023-22934 | SPL Command Safeguards Bypass via the ‘pivot’ SPL Command in Splunk Enterprise | Splunk Enterprise-Splunk Web | High | |||
| 0205 | 2023-22935 | SPL Command Safeguards Bypass via the ‘display.page.search.patterns.sensitivity’ Search Parameter in Splunk Enterprise | Splunk Enterprise-Splunk Web | High | |||
| 0209 | 2023-22939 | SPL Command Safeguards Bypass via the ‘map’ SPL Command in Splunk Enterprise | Splunk Enterprise-Splunk Web | High | |||
| 0215 | 2021-21419, 2021-28957, 2022-24785, 2022-31129, 2022-32212, 2015-20107, 2021-3517, 2021-3537, 2021-3518 | February Third Party Package Updates in Splunk Enterprise | Splunk Enterprise-Splunk Web | High | |||
| 0203 | 2023-22933 | Persistent Cross-Site Scripting through the ‘module’ Tag in a View in Splunk Enterprise | Splunk Enterprise-Splunk Web |
Splunk Enterprise: 8.1.12 and lower, 8.2.0 to 8.2.9, 9.0. to 9.0.3 Splunk Cloud: 9.0.2208 and lower |
Splunk Enterprise: 8.1.13, 8.2.10, 9.0.4 Splunk Cloud: 9.0.2209 |
Splunk Enterprise: Upgrade to 8.1.13, 8.2.10, 9.0.4, or higher. Splunk Support will upgrade splunk Cloud Instances |
High |
| 0201 | 2023-22931 | ‘createrss’ External Search Command Overwrites Existing RSS Feeds in Splunk Enterprise | Search |
Splunk Enterprise: 8.2.0 to 8.0.9 & 8.1.12 and lower Splunk Cloud: 8.2.2202 and lower |
Splunk Enterprise: 8.1.13, 8.2.10 Splunk Cloud: 8.2.2203 |
Upgrade to 8.1.13, 8.2.10- Splunk Enterprise Splunk Support will upgrade splunk Cloud Instances |
Medium |
| 0206 | 2023-22936 | Authenticated Blind Server Side Request Forgery via the ‘search_listener’ Search Parameter in Splunk Enterprise | Splunk Enterprise-Splunk Web | Medium | |||
| 0207 | 2023-22937 | Unnecessary File Extensions Allowed by Lookup Table Uploads in Splunk Enterprise | Splunk Enterprise-Splunk Web | Medium | |||
| 0208 | 2023-22938 | Permissions Validation Failure in the ‘sendemail’ REST API Endpoint in Splunk Enterprise | Splunk Enterprise-Splunk Web | Medium | |||
| 0210 | 2023-22940 | SPL Command Safeguards Bypass via the ‘collect’ SPL Command Aliases in Splunk Enterprise | Splunk Enterprise-Splunk Web | Medium | |||
| 0211 | 2023-22941 | Improperly Formatted ‘INGEST_EVAL’ Parameter Crashes Splunk Daemon | Splunk Enterprise-Splunk Web | Medium | |||
| 0212 | 2023-22942 | Cross-Site Request Forgery in the ‘ssg/kvstore_client’ REST Endpoint in Splunk Enterprise | Splunk Enterprise-Splunk Web | Medium | |||
| 0213 | 2023-22943 | Modular Input REST API Requests Connect via HTTP after Certificate Validation Failure in Splunk Add-on Builder and Splunk CloudConnect SDK |
Splunk Add-On Builder (4.1) |
4.1.1 and lower |
4.1.2 | Upgrade to Splunk Add-on Builder 4.1.2 or higher | Medium |
|
Splunk CloudConnect SDK (3.1) |
3.1.2 and lower |
3.1.3 | Upgrade to Splunk CloudConnect SDK 3.1.3 |
