Vulnerabilites related to Splunk - Universal Forwarder
CVE-2022-32156 (GCVE-0-2022-32156)
Vulnerability from cvelistv5
Published
2022-06-14 00:00
Modified
2024-08-03 07:32
Severity ?
7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
VLAI Severity ?
EPSS score ?
CWE
- CWE-295 - Improper Certificate Validation
Summary
In Splunk Enterprise and Universal Forwarder versions before 9.0, the Splunk command-line interface (CLI) did not validate TLS certificates while connecting to a remote Splunk platform instance by default. After updating to version 9.0, see Configure TLS host name validation for the Splunk CLI https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation#Configure_TLS_host_name_validation_for_the_Splunk_CLI to enable the remediation. The vulnerability does not affect the Splunk Cloud Platform. At the time of publishing, we have no evidence of exploitation of this vulnerability by external parties.
The issue requires conditions beyond the control of a potential bad actor such as a machine-in-the-middle attack. Hence, Splunk rates the complexity of the attack as High.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Splunk | Splunk Enterprise |
Version: 0 < 9.0.0 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:32:55.975Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.splunk.com/en_us/product-security/announcements/svd-2022-0606.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/Updates"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation#Configure_TLS_host_name_validation_for_the_Splunk_CLI"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Universal Forwarder",
"vendor": "Splunk",
"versions": [
{
"lessThan": "9.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSplunk peer communications configured properly with valid certificates were not vulnerable. However, connections from misconfigured nodes without valid certificates did not fail by default.\u0026nbsp;\u003c/p\u003e\u003cp\u003eSplunk strongly recommends securing your Splunk environment with hardened TLS configurations. See \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.splunk.com/Documentation/Splunk/latest/Security/AboutsecuringyourSplunkconfigurationwithSSL\"\u003eSecuring the Splunk platform with TLS\u003c/a\u003e\u0026nbsp;for more information. However, the vulnerability assumes that you have configured your Splunk platform instances to use transport layer security (TLS) certificates for secure network connections. If you have not and are using the default certificates, the vulnerability is not applicable and is informational.\u003c/p\u003e"
}
],
"value": "Splunk peer communications configured properly with valid certificates were not vulnerable. However, connections from misconfigured nodes without valid certificates did not fail by default. \n\nSplunk strongly recommends securing your Splunk environment with hardened TLS configurations. See Securing the Splunk platform with TLS https://docs.splunk.com/Documentation/Splunk/latest/Security/AboutsecuringyourSplunkconfigurationwithSSL for more information. However, the vulnerability assumes that you have configured your Splunk platform instances to use transport layer security (TLS) certificates for secure network connections. If you have not and are using the default certificates, the vulnerability is not applicable and is informational.\n\n"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Chris Green at Splunk"
}
],
"datePublic": "2022-06-14T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn Splunk Enterprise and Universal Forwarder versions before 9.0, the Splunk command-line interface (CLI) did not validate TLS certificates while connecting to a remote Splunk platform instance by default. After updating to version 9.0, see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation#Configure_TLS_host_name_validation_for_the_Splunk_CLI\"\u003eConfigure TLS host name validation for the Splunk CLI\u003c/a\u003e\u0026nbsp;to enable the remediation.\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe vulnerability does not affect the Splunk Cloud Platform. At the time of publishing, we have no evidence of exploitation of this vulnerability by external parties.\u003c/span\u003e\u003c/p\u003e\u003cp\u003eThe issue requires conditions beyond the control of a potential bad actor such as a machine-in-the-middle attack. Hence, Splunk rates the complexity of the attack as High.\u0026nbsp;\u003c/p\u003e"
}
],
"value": "In Splunk Enterprise and Universal Forwarder versions before 9.0, the Splunk command-line interface (CLI) did not validate TLS certificates while connecting to a remote Splunk platform instance by default. After updating to version 9.0, see Configure TLS host name validation for the Splunk CLI https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation#Configure_TLS_host_name_validation_for_the_Splunk_CLI to enable the remediation. The vulnerability does not affect the Splunk Cloud Platform. At the time of publishing, we have no evidence of exploitation of this vulnerability by external parties.\n\nThe issue requires conditions beyond the control of a potential bad actor such as a machine-in-the-middle attack. Hence, Splunk rates the complexity of the attack as High. \n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "Universal Forwarders"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "Splunk Enterprise"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-11T18:56:14.525Z",
"orgId": "42b59230-ec95-491e-8425-5a5befa1a469",
"shortName": "Splunk"
},
"references": [
{
"url": "https://www.splunk.com/en_us/product-security/announcements/svd-2022-0606.html"
},
{
"url": "https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/Updates"
},
{
"url": "https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation#Configure_TLS_host_name_validation_for_the_Splunk_CLI"
}
],
"source": {
"advisory": "SVD-2022-0606",
"discovery": "INTERNAL"
},
"title": "Splunk Enterprise and Universal Forwarder CLI connections lacked TLS cert validation"
}
},
"cveMetadata": {
"assignerOrgId": "42b59230-ec95-491e-8425-5a5befa1a469",
"assignerShortName": "Splunk",
"cveId": "CVE-2022-32156",
"datePublished": "2022-06-14T00:00:00",
"dateReserved": "2022-05-31T00:00:00",
"dateUpdated": "2024-08-03T07:32:55.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32712 (GCVE-0-2023-32712)
Vulnerability from cvelistv5
Published
2023-06-01 16:34
Modified
2025-02-28 11:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-117 - The software does not neutralize or incorrectly neutralizes output that is written to logs.
Summary
In Splunk Enterprise versions below 9.1.0.2, 9.0.5.1, and 8.2.11.2, an attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files that, when a vulnerable terminal application reads them, can potentially, at worst, result in possible code execution in the vulnerable application. This attack requires a user to use a terminal application that supports the translation of ANSI escape codes to read the malicious log file locally in the vulnerable terminal, and to perform additional user interaction to exploit.
Universal Forwarder versions 9.1.0.1, 9.0.5, 8.2.11, and lower can be vulnerable in situations where they have management services active and accessible over the network. Universal Forwarder versions 9.0.x and 9.1.x bind management services to the local machine and are not vulnerable in this specific configuration. See SVD-2022-0605 for more information. Universal Forwarder versions 9.1 use Unix Domain Sockets (UDS) for communication, which further reduces the potential attack surface.
The vulnerability does not directly affect Splunk Enterprise or Universal Forwarder. The indirect impact on Splunk Enterprise and Universal Forwarder can vary significantly depending on the permissions in the vulnerable terminal application and where and how the user reads the malicious log file. For example, users can copy the malicious file from the Splunk Enterprise instance and read it on their local machine.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Splunk | Splunk Enterprise |
Version: 8.2 < 8.2.11.2 Version: 9.0 < 9.0.5.1 Version: 9.1 < 9.1.0.2 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*"
],
"defaultStatus": "unknown",
"product": "splunk",
"vendor": "splunk",
"versions": [
{
"lessThan": "8.2.11.2",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "9.0.5.1",
"status": "affected",
"version": "9.0",
"versionType": "semver"
},
{
"lessThan": "9.1.0.2",
"status": "affected",
"version": "9.1",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "universal_forwarder",
"vendor": "splunk",
"versions": [
{
"lessThan": "8.2.12",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "9.0.6",
"status": "affected",
"version": "9.0",
"versionType": "semver"
},
{
"lessThan": "9.1.1",
"status": "affected",
"version": "9.1",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32712",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-20T19:25:54.346712Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "CWE-117 Improper Output Neutralization for Logs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:26:05.760Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:25:36.767Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisory.splunk.com/advisories/SVD-2023-0606"
},
{
"tags": [
"x_transferred"
],
"url": "https://research.splunk.com/application/de3908dc-1298-446d-84b9-fa81d37e959b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "8.2.11.2",
"status": "affected",
"version": "8.2",
"versionType": "custom"
},
{
"lessThan": "9.0.5.1",
"status": "affected",
"version": "9.0",
"versionType": "custom"
},
{
"lessThan": "9.1.0.2",
"status": "affected",
"version": "9.1",
"versionType": "custom"
}
]
},
{
"product": "Universal Forwarder",
"vendor": "Splunk",
"versions": [
{
"lessThan": "8.2.12",
"status": "affected",
"version": "8.2",
"versionType": "custom"
},
{
"lessThan": "9.0.6",
"status": "affected",
"version": "9.0",
"versionType": "custom"
},
{
"lessThan": "9.1.1",
"status": "affected",
"version": "9.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "ST\u00d6K / Fredrik Alexandersson"
}
],
"datePublic": "2023-06-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 9.1.0.2, 9.0.5.1, and 8.2.11.2, an attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files that, when a vulnerable terminal application reads them, can potentially, at worst, result in possible code execution in the vulnerable application. This attack requires a user to use a terminal application that supports the translation of ANSI escape codes to read the malicious log file locally in the vulnerable terminal, and to perform additional user interaction to exploit.\nUniversal Forwarder versions 9.1.0.1, 9.0.5, 8.2.11, and lower can be vulnerable in situations where they have management services active and accessible over the network. Universal Forwarder versions 9.0.x and 9.1.x bind management services to the local machine and are not vulnerable in this specific configuration. See SVD-2022-0605 for more information. Universal Forwarder versions 9.1 use Unix Domain Sockets (UDS) for communication, which further reduces the potential attack surface.\nThe vulnerability does not directly affect Splunk Enterprise or Universal Forwarder. The indirect impact on Splunk Enterprise and Universal Forwarder can vary significantly depending on the permissions in the vulnerable terminal application and where and how the user reads the malicious log file. For example, users can copy the malicious file from the Splunk Enterprise instance and read it on their local machine."
}
],
"value": "In Splunk Enterprise versions below 9.1.0.2, 9.0.5.1, and 8.2.11.2, an attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files that, when a vulnerable terminal application reads them, can potentially, at worst, result in possible code execution in the vulnerable application. This attack requires a user to use a terminal application that supports the translation of ANSI escape codes to read the malicious log file locally in the vulnerable terminal, and to perform additional user interaction to exploit.\nUniversal Forwarder versions 9.1.0.1, 9.0.5, 8.2.11, and lower can be vulnerable in situations where they have management services active and accessible over the network. Universal Forwarder versions 9.0.x and 9.1.x bind management services to the local machine and are not vulnerable in this specific configuration. See SVD-2022-0605 for more information. Universal Forwarder versions 9.1 use Unix Domain Sockets (UDS) for communication, which further reduces the potential attack surface.\nThe vulnerability does not directly affect Splunk Enterprise or Universal Forwarder. The indirect impact on Splunk Enterprise and Universal Forwarder can vary significantly depending on the permissions in the vulnerable terminal application and where and how the user reads the malicious log file. For example, users can copy the malicious file from the Splunk Enterprise instance and read it on their local machine."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "The software does not neutralize or incorrectly neutralizes output that is written to logs.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-28T11:03:57.287Z",
"orgId": "42b59230-ec95-491e-8425-5a5befa1a469",
"shortName": "Splunk"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2023-0606"
},
{
"url": "https://research.splunk.com/application/de3908dc-1298-446d-84b9-fa81d37e959b"
}
],
"source": {
"advisory": "SVD-2023-0606"
},
"title": "Unauthenticated Log Injection in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "42b59230-ec95-491e-8425-5a5befa1a469",
"assignerShortName": "Splunk",
"cveId": "CVE-2023-32712",
"datePublished": "2023-06-01T16:34:29.862Z",
"dateReserved": "2023-05-11T20:55:59.872Z",
"dateUpdated": "2025-02-28T11:03:57.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}