Splunk Enterprise deployment servers allow client publishing of forwarder bundles
Advisory ID: SVD-2022-0608
CVE ID: CVE-2022-32158
Published: 2022-08-16
Last Update: 2022-07-18
CVSSv3.1 Score: 9.0, Critical
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-284
Bug ID: SPL-176829
Description
Splunk Enterprise deployment servers in versions before 8.1.10.1, 8.2.6.1, and 9.0 let clients deploy forwarder bundles to other deployment clients through the deployment server. An attacker that compromised a Universal Forwarder endpoint could use the vulnerability to execute arbitrary code on all other Universal Forwarder endpoints subscribed to the deployment server. If you do not run a Deployment Server or use the Deployment Server functionality, the vulnerability is not applicable and is strictly informational.
The Splunk Cloud Platform (SCP) does not offer or use deployment servers and is not affected by the vulnerability. For SCP customers that run deployment servers, upgrade to version 9.0 or higher. At the time of publishing, we have no evidence of exploitation of this vulnerability by external parties.
Solution
Upgrade Splunk Enterprise deployment servers to version 8.1.10.1, 8.2.6.1, and 9.0 or later.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 8.1 | Deployment Server | Versions before 8.1.10.1 | 8.1.10.1 |
| Splunk Enterprise | 8.2 | Deployment Server | 8.2.0 to 8.2.6 | 8.2.6.1 |
| Splunk Enterprise | 9.0 | - | Not affected | - |
Severity Considerations
If you do not run a Deployment Server or use the Deployment Server functionality, the vulnerability is informational. You can disable the Deployment Server functionality temporarily without disabling the server. See CLI admin commands for more information.
If the Deployment Server is within a VPC/VPN and only available within that adjacent boundary, Splunk recommends reducing the severity to High.
Acknowledgments
Nadim Taha at Splunk
Changelog
2022-07-18: Added “If you do not run a Deployment Server or use the Deployment Server functionality, the vulnerability is not applicable and is strictly informational” to the Description, Components in the Product Status table, and the Severity Considerations.
2022-06-30: Updated versions to reflect backport for this specific vulnerability.
2022-06-16: Removed the Security Content link.
2022-06-14: Changed Solution from “Upgrade Splunk Enterprise deployment servers to version 9.0 or higher, upgrade Universal Forwarders to version 9.0 or higher, and Configure authentication for deployment servers and clients.” to “Upgrade Splunk Enterprise deployment servers to version 9.0 or higher”. Remediation only requires updating the Splunk Enterprise deployment servers to 9.0. Updating the Universal Forwarders does not remediate or mitigate CVE-2022-32158.