Remote Code Execution through dashboard PDF generation component in Splunk Enterprise

Advisory ID: SVD-2022-1111

CVE ID: CVE-2022-43571

Published: 2022-11-02

Last Update: 2022-11-02

CVSSv3.1 Score: 8.8, High, High

CWE: CWE-94

Bug ID: SPL-228720

Description

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can execute arbitrary code through the dashboard PDF generation component.

Solution

For Splunk Enterprise, upgrade versions to 8.1.12, 8.2.9, 9.0.2, or higher.

For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise8.18.1.11 and lower8.1.12
Splunk Enterprise8.28.2.0 to 8.2.88.2.9
Splunk Enterprise9.09.0.0 to 9.0.19.0.2
Splunk Cloud Platform9.0.2208 and lower9.0.2209

Mitigations and Workarounds

None

Detections

This detection search provides information about a vulnerability in Splunk Enterprise versions below 8.1.12, 8.2.9, 9.0.2209 and 9.0.2 where an authenticated user can execute arbitrary code remotely through the dashboard PDF generation component.

Severity

Splunk rates the vulnerability as High, 8.8, with a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability requires user access to create a dashboard.

Acknowledgments

Danylo Dmytriiev (DDV_UA)