Improperly Formatted ‘INGEST_EVAL’ Parameter Crashes Splunk Daemon
Advisory ID: SVD-2023-0211
CVE ID: CVE-2023-22941
Published: 2023-02-14
Last Update: 2023-02-14
CVSSv3.1 Score: 6.5, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-248
Bug ID: SPL-232645
Description
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, an improperly-formatted ‘INGEST_EVAL’ parameter in a Field Transformation crashes the Splunk daemon (splunkd).
Solution
For Splunk Enterprise, upgrade versions to 8.1.13, 8.2.10, 9.0.4, or higher.
For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 8.1 | Splunk Web | 8.1.12 and lower | 8.1.13 |
| Splunk Enterprise | 8.2 | Splunk Web | 8.2.0 to 8.2.9 | 8.2.10 |
| Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.3 | 9.0.4 |
| Splunk Cloud Platform | - | Splunk Web | 9.0.2209 and lower | 9.0.2212 |
Mitigations and Workarounds
None
Detections
This hunting search provides information on who executed the crashing command, and when and how often the command was executed.
Severity
Splunk rated the vulnerability as Medium, 6.5, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability requires compromising a user account with the capability to create or edit a Field transformation or run the ‘ingestpreview’ command via Search.
Acknowledgments
James Ervin, Splunk