Splunk Enterprise Deployment Servers < 9.0 RCE

critical Nessus Plugin ID 164075

Synopsis

An application running on a remote web server host may be affected by a remote code execution vulnerability.

Description

Splunk Enterprise deployment servers in versions 8.1.x prior to 8.1.10.1, 8.2.x prior to 8.2.6.1, and 9.0 let clients deploy forwarder bundles to other deployment clients through the deployment server. An attacker that compromised a Universal Forwarder endpoint could use the vulnerability to execute arbitrary code on all other Universal Forwarder endpoints subscribed to the deployment server.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade Splunk Enterprise to version 8.1.0.1, 8.2.6.1, 9.0, or later.

See Also

http://www.nessus.org/u?33dc66b8

Plugin Details

Severity: Critical

ID: 164075

File Name: splunk_900_cve-2022-32158.nasl

Version: 1.4

Type: combined

Agent: windows, macosx, unix

Family: CGI abuses

Published: 8/11/2022

Updated: 8/31/2022

Configuration: Enable paranoid mode

Supported Sensors: Nessus Agent

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

CVSS Score Source: CVE-2022-32158

CVSS v3

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:splunk:splunk

Required KB Items: installed_sw/Splunk, Settings/ParanoidReport

Exploit Ease: No known exploits are available

Patch Publication Date: 6/14/2022

Vulnerability Publication Date: 6/14/2022

Reference Information

CVE: CVE-2022-32158

IAVA: 2022-A-0251-S