Indexer denial-of-service via malformed S2S request

Advisory ID: SVD-2022-0301

CVE ID: CVE-2021-3422

Published: 2022-03-24

Last Update: 2022-05-03

CVSSv3.1 Score: 7.5, High

CWE: CWE-125

Bug ID: SPL-198396


The lack of validation of a key-value field in the Splunk-to-Splunk protocol results in a denial-of-service in Splunk Enterprise instances configured to index Universal Forwarder traffic. See Enable a receiver for more information on configuring an indexer to listen for UF traffic. It does not impact Universal Forwarders.

When Splunk forwarding is secured using TLS or a Token, the attack requires compromising the certificate or token, or both. As a partial mitigation and a security best practice, see Configure Splunk forwarding to use your own SSL certificates and Control forwarder access. Implementation of either or both reduces the severity to Medium.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise7.3-7.3.8 and earlier7.3.9
Splunk Enterprise8.0-8.0.0 to
Splunk Enterprise8.1-8.1.0 to
Splunk Enterprise8.2-Not affected-



Sharon Brizinov and Tal Keren of Claroty


2022-05-03: Added CWE and Security Content references and links