Splunk response to "shellshock" vulnerabilities

Advisory ID: SP-CAAANJN

CVE ID: CVE-2014-6271, CVE-2014-7169

Published: 2014-09-29

Last Update: 2014-09-30

CVSSv3.1 Score: -, 

CVSSv3.1 Vector: -

CWE: -

Bug ID: -

Description

Splunk response to “shellshock” vulnerabilities:

  • Splunk Enterprise response to Bash “shellshock” parsing attack (CVE-2014-6271, CVE-2014-7169)
  • Splunk Enterprise response to Bash “shellshock” parsing attack (CVE-2014-6271, CVE-2014-7169)
  • Splunk Cloud response to Bash “shellshock” parsing attack (CVE-2014-6271, CVE-2014-7169) “>Splunk Cloud response to Bash “shellshock” parsing attack (CVE-2014-6271, CVE-2014-7169)
  • Splunk MINT response to Bash “shellshock” parsing attack (CVE-2014-6271, CVE-2014-7169)
  • Splunk Storm response to Bash “shellshock” parsing attack (CVE-2014-6271, CVE-2014-7169)

At the time of this announcement, Splunk is not aware of any cases where these vulnerabilities have been actively exploited. Previous Product Security Announcements can be found on our Splunk Product Security Portal. Use SPL numbers when referencing issues in communication with Splunk. If there is no CVE Identifier listed with a vulnerability, it will be added once it is assigned by a CVE Numbering Authority. To standardize the calculation of severity scores for each vulnerability, when appropriate, Splunk uses Common Vulnerability Scoring System version 2.

Products and Components Affected

  • Splunk Enterprise
    • Affected versions: All versions of Splunk Enterprise 6.1.x, 6.0.x, and 5.0.x.
    • This does affect: Search heads, heavy forwarders with Splunk Web enabled, and indexers with Splunk Web enabled.
  • Splunk Hunk
    • Affected versions: All versions of Splunk Hunk 6.1.x and 6.0.x.
    • This does affect: Search heads.
  • Splunk Cloud
    • Affected service: Splunk Cloud completed updates on September 26, 2014.
  • Splunk MINT
    • Affected service: Splunk MINT competed updates as of September 25, 2014.
  • Splunk Storm
    • Affected service: Splunk Storm completed updates on September 26, 2014.

      Upgrades and Patches

Splunk Enterprise

To mitigate these issues, Splunk recommends upgrading bash per operating system vendor instructions.

Splunk Hunk

To mitigate these issues, Splunk recommends upgrading bash per operating system vendor instructions.

Splunk Cloud

No customer action required.

Splunk MINT

No customer action required.

Splunk Storm

No customer action required.

Vulnerability Descriptions and Ratings

Splunk Enterprise response to Bash “shellshock” parsing attack (CVE-2014-6271, CVE-2014-7169)

Description: Splunk Enterprise 5.0.9, 6.0.6, 6.1.3 are not directly vulnerable in a default installation. If a Splunk Enterprise administrator installs a custom scripted alert that involves bash, an authenticated Splunk user could exploit the bash vulnerability. Custom scripted alerts may be present due to the installation of additional Splunk apps.

The appropriate fix is to apply relevant operating system patches to fix the vulnerability.

CVSS Base Score 10.0

CVSS Impact Subscore 7.5

CVSS Exploitability Subscore 10.0

Overall CVSS Score 8.5

Splunk Hunk response to Bash “shellshock” parsing attack (CVE-2014-6271, CVE-2014-7169)

Description: Splunk Hunk 6.0.6 and 6.1.3 are not directly vulnerable in a default installation. If a Splunk Hunk administrator installs a custom scripted alert that involves bash, an authenticated Splunk user could exploit the bash vulnerability. Custom scripted alerts may be present due to the installation of additional Splunk apps.

The appropriate fix is to apply relevant operating system patches to fix the vulnerability.

CVSS Base Score 10.0

CVSS Impact Subscore 7.5

CVSS Exploitability Subscore 10.0

Overall CVSS Score 8.5

Splunk Cloud response to Bash “shellshock” parsing attack (CVE-2014-6271, CVE-2014-7169)

Description: Splunk Cloud completed precautionary infrastructure updates on September 26, 2014.

Splunk MINT response to Bash “shellshock” parsing attack (CVE-2014-6271, CVE-2014-7169)

Description: Splunk MINT completed precautionary infrastructure updates on September 25, 2014.

Splunk Storm response to Bash “shellshock” parsing attack (CVE-2014-6271, CVE-2014-7169)

Description: Splunk Storm completed precautionary infrastructure updates on September 26, 2014.

Document History

  • 2014-Sep-29: Rev 1. Initial Release
  • 2014-Sep-30: Rev 2. Corrected missing “be”