Indexer denial-of-service via malformed S2S request
Advisory ID: SVD-2022-0301
CVE ID: CVE-2021-3422
Last Update: 2022-05-03
CVSSv3.1 Score: 7.5, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Bug ID: SPL-198396
The lack of validation of a key-value field in the Splunk-to-Splunk protocol results in a denial-of-service in Splunk Enterprise instances configured to index Universal Forwarder traffic. See Enable a receiver for more information on configuring an indexer to listen for UF traffic. It does not impact Universal Forwarders.
When Splunk forwarding is secured using TLS or a Token, the attack requires compromising the certificate or token, or both. As a partial mitigation and a security best practice, see Configure Splunk forwarding to use your own SSL certificates and Control forwarder access. Implementation of either or both reduces the severity to Medium.
|Product||Version||Component||Affected Version||Fix Version|
|Splunk Enterprise||7.3||-||7.3.8 and earlier||7.3.9|
|Splunk Enterprise||8.0||-||8.0.0 to 8.0.8||8.0.9|
|Splunk Enterprise||8.1||-||8.1.0 to 8.1.2||8.1.3|
|Splunk Enterprise||8.2||-||Not affected||-|
Sharon Brizinov and Tal Keren of Claroty
2022-05-03: Added CWE and Security Content references and links