Splunk Enterprise < 9.0 Multiple Vulnerabilities

critical Nessus Plugin ID 164076

Synopsis

An application running on a remote web server host is affected by multiple vulnerabilities.

Description

The version of Splunk installed on the remote host is prior to 9.0. It is, therefore, affected by multiple vulnerabilities.

- The httplib and urllib Python libraries that Splunk shipped with Splunk Enterprise did not validate certificates using the certificate authority (CA) certificate stores by default in Splunk Enterprise versions before 9.0. Python 3 client libraries now verify server certificates by default and use the appropriate CA certificate stores for each library. Apps and add-ons that include their own HTTP libraries are not affected. (CVE-2022-32151)

- Splunk Enterprise peers in Splunk Enterprise versions before 9.0 did not validate the TLS certificates during Splunk-to-Splunk communications by default. Splunk peer communications configured properly with valid certificates were not vulnerable. However, an attacker with administrator credentials could add a peer without a valid certificate and connections from misconfigured nodes without valid certificates did not fail by default. (CVE-2022-32152, CVE-2022-32153)

- Dashboards in Splunk Enterprise versions before 9.0 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request. The result bypasses SPL safeguards for risky commands. Note that the attack is browser-based and an attacker cannot exploit it at will. (CVE-2022-32154)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Splunk Enterprise 9.0, or later.

See Also

http://www.nessus.org/u?1e830af9

http://www.nessus.org/u?ad3b9d22

http://www.nessus.org/u?c6b2548f

http://www.nessus.org/u?77bc5700

Plugin Details

Severity: Critical

ID: 164076

File Name: splunk_900.nasl

Version: 1.4

Type: combined

Agent: windows, macosx, unix

Family: CGI abuses

Published: 8/11/2022

Updated: 8/31/2022

Supported Sensors: Nessus Agent

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

CVSS Score Source: CVE-2022-32153

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: E:U/RL:O/RC:C

CVSS Score Source: CVE-2022-32151

Vulnerability Information

CPE: cpe:/a:splunk:splunk

Required KB Items: installed_sw/Splunk

Exploit Ease: No known exploits are available

Patch Publication Date: 6/14/2022

Vulnerability Publication Date: 6/14/2022

Reference Information

CVE: CVE-2022-32151, CVE-2022-32152, CVE-2022-32153, CVE-2022-32154

IAVA: 2022-A-0251-S