Splunk announced on November 2 the release of a new set of quarterly patches for Splunk Enterprise, which include fixes for nine high-severity vulnerabilities.
The most severe of these security defects have a CVSS score of 8.8 and are described as remote code execution (RCE), XML external entity (XXE) injection, and reflected cross-site scripting (XSS) bugs.
Tracked as CVE-2022-43571 and CVE-2022-43567, the RCE vulnerabilities can be exploited by authenticated attackers to execute code via the dashboard PDF generation component or via crafted requests sent to the mobile alerts feature of the Splunk Secure Gateway app.
The XXE injection vulnerability, CVE-2022-43570, can be exploited to cause Splunk Web to embed incorrect documents into an error. A workaround for the flaw consists of disabling Splunk Web and restricting who can upload lookup files.
With a CVSS score of 8.1, the next two high-severity vulnerabilities are described as risky command protection bypasses that can be exploited if the attacker phishes the victim by tricking them into initiating a request in the browser.
The first of the flaws (CVE-2022-43563) impacts the ‘rex’ search command’s handling of field names, while the second issue (CVE-2022-43565) was found in the ‘tstats’ command’s handling of JSON files.
Splunk also resolved a persistent XSS in the object name of a Data Model (CVE-2022-43569), a risky command safeguards bypass in the Analytics Workspace (CVE-2022-43566), and an indexing blockage or denial-of-service (DoS) condition in Splunk-to-Splunk (S2S) and HTTP Event Collector (HEC) protocols (CVE-2022-43572).
Additionally, Splunk resolved two medium-severity issues (DoS via crafted search macros and XSS via the ‘power’ Splunk role) and one low-severity flaw (remote, unauthenticated host header injection).
All vulnerabilities have been resolved with the release of Splunk Enterprise versions 8.1.12, 8.2.9, and 9.0.2. Additional details on these issues can be found on Splunk’s product security page.
The next quarterly security updates are scheduled for February 7, 2023.
Ionut Arghire is an international correspondent for SecurityWeek. Previous Columns by Ionut Arghire:Tags: