Critical Security Alerts, Quarterly Security Patches, and Third Party Bulletins

This page lists announcements of security fixes made in Critical Security Alerts, Quarterly Security Patch Updates, and Third Party Bulletins. For all Advisories, Announcements, and Bulletins, see the Security Advisories list.

 

Critical Security Alerts

Splunk will publish out-of-band advisories for vulnerabilities that are time-sensitive as soon as possible.

SVDDateTitleSeverityCVE
SVD-2022-06082022-08-16 Splunk Enterprise deployment servers allow client publishing of forwarder bundlesCritical CVE-2022-32158
SVD-2022-06072022-08-16 Splunk Enterprise deployment servers allow unauthenticated forwarder bundle downloadsHigh CVE-2022-32157
SVD-2022-06062022-06-14 Splunk Enterprise and Universal Forwarder CLI connections lacked TLS certificate validationHigh CVE-2022-32156
SVD-2022-06052022-06-14 Universal Forwarder management services allow remote login by defaultInfo CVE-2022-32155
SVD-2022-06042022-06-14 Risky commands warnings in Splunk Enterprise dashboardsMedium CVE-2022-32154
SVD-2022-06032022-06-14 Splunk Enterprise lacked TLS host name certificate validationHigh CVE-2022-32153
SVD-2022-06022022-06-14 Splunk Enterprise lacked TLS certificate validation for Splunk-to-Splunk communication by defaultHigh CVE-2022-32152
SVD-2022-06012022-06-14 Splunk Enterprise disabled TLS validation using the CA certificate stores in Python 3 libraries by defaultHigh CVE-2022-32151
SVD-2022-03012022-03-24 Indexer denial-of-service via malformed S2S requestHigh CVE-2021-3422

 

Quarterly Security Patch Updates

Security Updates are collections of security fixes for supported versions of Splunk products. We plan to create Security Patch Updates and make them available through scheduled cloud releases or on-premises maintenance releases for supported versions of Splunk products at the time of the quarterly advisory disclosure. When patches can not be backported due to technical feasibility or otherwise, we will publish mitigation and additional compensating control guidance.

Security Patch Updates are published quarterly in February, June, August and November. Customers are encouraged to sign up for our RSS feed to receive a notification when advisories have been published.

SVDDateTitleSeverityCVE
SVD-2023-02132023-02-14 Modular Input REST API Requests Connect via HTTP after Certificate Validation Failure in Splunk Add-on Builder and Splunk CloudConnect SDKMedium CVE-2023-22943
SVD-2023-02122023-02-14 Cross-Site Request Forgery in the ‘ssg/kvstore_client’ REST Endpoint in Splunk EnterpriseMedium CVE-2023-22942
SVD-2023-02112023-02-14 Improperly Formatted ‘INGEST_EVAL’ Parameter Crashes Splunk DaemonMedium CVE-2023-22941
SVD-2023-02102023-02-14 SPL Command Safeguards Bypass via the ‘collect’ SPL Command Aliases in Splunk EnterpriseMedium CVE-2023-22940
SVD-2023-02092023-02-14 SPL Command Safeguards Bypass via the ‘map’ SPL Command in Splunk EnterpriseHigh CVE-2023-22939
SVD-2023-02082023-02-14 Permissions Validation Failure in the ‘sendemail’ REST API Endpoint in Splunk EnterpriseMedium CVE-2023-22938
SVD-2023-02072023-02-14 Unnecessary File Extensions Allowed by Lookup Table Uploads in Splunk EnterpriseMedium CVE-2023-22937
SVD-2023-02062023-02-14 Authenticated Blind Server Side Request Forgery via the ‘search_listener’ Search Parameter in Splunk EnterpriseMedium CVE-2023-22936
SVD-2023-02052023-02-14 SPL Command Safeguards Bypass via the ‘display.page.search.patterns.sensitivity’ Search Parameter in Splunk EnterpriseHigh CVE-2023-22935
SVD-2023-02042023-02-14 SPL Command Safeguards Bypass via the ‘pivot’ SPL Command in Splunk EnterpriseHigh CVE-2023-22934
SVD-2023-02032023-02-14 Persistent Cross-Site Scripting through the ‘module’ Tag in a View in Splunk EnterpriseHigh CVE-2023-22933
SVD-2023-02022023-02-14 Persistent Cross-Site Scripting through a Base64-encoded Image in a View in Splunk EnterpriseHigh CVE-2023-22932
SVD-2023-02012023-02-14 ‘createrss’ External Search Command Overwrites Existing RSS Feeds in Splunk EnterpriseMedium CVE-2023-22931
SVD-2022-11122022-11-02 Indexing blockage via malformed data sent through S2S or HEC protocols in Splunk EnterpriseHigh CVE-2022-43572
SVD-2022-11112022-11-02 Remote Code Execution through dashboard PDF generation component in Splunk EnterpriseHigh CVE-2022-43571
SVD-2022-11102022-11-02 XML External Entity Injection through a custom View in Splunk EnterpriseHigh CVE-2022-43570
SVD-2022-11092022-11-02 Persistent Cross-Site Scripting via a Data Model object name in Splunk EnterpriseHigh CVE-2022-43569
SVD-2022-11082022-11-02 Reflected Cross-Site Scripting via the radio template in Splunk EnterpriseHigh CVE-2022-43568
SVD-2022-11072022-11-02 Remote Code Execution via the Splunk Secure Gateway application Mobile Alerts featureHigh CVE-2022-43567
SVD-2022-11062022-11-02 Risky command safeguards bypass via Search ID query in Analytics Workspace in Splunk EnterpriseHigh CVE-2022-43566
SVD-2022-11052022-11-02 Risky command safeguards bypass via ‘tstats’ command JSON in Splunk EnterpriseHigh CVE-2022-43565
SVD-2022-11042022-11-02 Denial of Service in Splunk Enterprise through search macrosMedium CVE-2022-43564
SVD-2022-11032022-11-02 Risky command safeguards bypass via 'rex' search command field names in Splunk EnterpriseHigh CVE-2022-43563
SVD-2022-11022022-11-02 Host Header Injection in Splunk EnterpriseLow CVE-2022-43562
SVD-2022-11012022-11-02 Persistent Cross-Site Scripting in “Save Table” Dialog in Splunk EnterpriseMedium CVE-2022-43561
SVD-2022-08032022-08-16 Malformed ZIP file crashes Universal Forwarders and Splunk Enterprise through file monitoring inputMedium CVE-2022-37439
SVD-2022-08022022-08-16 Information disclosure via the dashboard drilldown in Splunk EnterpriseLow CVE-2022-37438
SVD-2022-08012022-08-16 Ingest Actions UI in Splunk Enterprise 9.0.0 disabled TLS certificate validationHigh CVE-2022-37437
SVD-2022-05072022-05-03 Error message discloses internal pathMedium CVE-2022-26070
SVD-2022-05062022-05-03 Path Traversal in search parameter results in external content injectionHigh CVE-2022-26889
SVD-2022-05052022-05-03 Reflected XSS in a query parameter of the Monitoring ConsoleHigh CVE-2022-27183
SVD-2022-05042022-05-03 Bypass of Splunk Enterprise's implementation of DUO MFAHigh CVE-2021-26253
SVD-2022-05032022-05-03 S2S TcpToken authentication bypass High CVE-2021-31559
SVD-2022-05022022-05-03 Username enumeration through lockout message in REST APIMedium CVE-2021-33845
SVD-2022-05012022-05-03 Local privilege escalation via a default path in Splunk Enterprise WindowsHigh CVE-2021-42743

 

Third-Party Bulletins

Third-Party Bulletins announce security patches for third-party software. Splunk publishes Third Party Bulletins on the same day as Critical Security Alerts or Quarterly Security Patch Updates.

SVDDateTitleSeverityCVE
SVD-2023-02152023-02-14 February Third Party Package Updates in Splunk EnterpriseHigh Multiple
SVD-2023-02142023-02-14 Splunk Response to the Apache Software Foundation Publishing a Vulnerability on Apache Commons Text (CVE-2022-42889) (Text4Shell)Info CVE-2022-42889
SVD-2022-11132022-11-02 November Third Party Package updates in Splunk EnterpriseHigh CVE-2020-36518, CVE-2021-32036
SVD-2022-11142022-11-01 Splunk’s response to OpenSSL’s CVE-2022-3602 and CVE-2022-3786High CVE-2022-3602, CVE-2022-3786
SVD-2022-08042022-08-16 August Third Party Package updates in Splunk Enterprise and Universal ForwardersMedium Multiple
SVD-2021-12012021-12-10 Splunk Security Advisory for Apache Log4j (CVE-2021-44228, CVE-2021-45046 and others)Critical CVE-2021-44228, CVE-2021-45046

 

Policy on information provided in Critical Security Alert and Security Patch Updates

Splunk continuously monitors for vulnerabilities discovered through scans, offensive exercises, employees or externally reported by vendors or researchers. Splunk follows industry best practices to discover and remediate vulnerabilities. To report a security vulnerability, please submit to the Security Vulnerability Submission Portal.

Splunk will not provide additional information about the specifics of vulnerabilities beyond what is provided in the Critical Security Alert or the Security Patch Update. Splunk does not distribute active exploit code (i.e. proof of concept code) for vulnerabilities in our products.

 

Applicability of Critical Security Alerts and Quarterly Security Updates

The Splunk teams regularly evaluate Critical Security Alerts, Quarterly Security Patch Updates and Third Party bulletins as they become available and apply the relevant patches in accordance with applicable change management processes.

Customers requiring additional information that is not addressed in the Critical Patch Update Advisory may obtain information by going to the Support Portal and submitting a New Case.