Indexer denial-of-service via malformed S2S request
Advisory ID: SVD-2022-0301
CVE ID: CVE-2021-3422
Published: 2022-03-24
Last Update: 2022-05-03
CVSSv3.1 Score: 7.5, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-125
Bug ID: SPL-198396
Description
The lack of validation of a key-value field in the Splunk-to-Splunk protocol results in a denial-of-service in Splunk Enterprise instances configured to index Universal Forwarder traffic. See Enable a receiver for more information on configuring an indexer to listen for UF traffic. It does not impact Universal Forwarders.
When Splunk forwarding is secured using TLS or a Token, the attack requires compromising the certificate or token, or both. As a partial mitigation and a security best practice, see Configure Splunk forwarding to use your own SSL certificates and Control forwarder access. Implementation of either or both reduces the severity to Medium.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 7.3 | - | 7.3.8 and earlier | 7.3.9 |
| Splunk Enterprise | 8.0 | - | 8.0.0 to 8.0.8 | 8.0.9 |
| Splunk Enterprise | 8.1 | - | 8.1.0 to 8.1.2 | 8.1.3 |
| Splunk Enterprise | 8.2 | - | Not affected | - |
Detections
Acknowledgments
Sharon Brizinov and Tal Keren of Claroty
Changelog
2022-05-03: Added CWE and Security Content references and links