S2S TcpToken authentication bypass
Advisory ID: SVD-2022-0503
CVE ID: CVE-2021-31559
Published: 2022-05-03
Last Update: 2022-05-03
CVSSv3.1 Score: 7.5, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-288
Bug ID: SPL-203370
Description
A crafted request bypasses S2S TCP Token authentication writing arbitrary events to an index in Splunk Enterprise Indexer 8.1 versions before 8.1.5 and 8.2 versions before 8.2.1. The vulnerability impacts Indexers configured to use TCPTokens. It does not impact Universal Forwarders.
See Enable a receiver for more information on configuring an indexer to listen for UF traffic. See Control forwarder access for more information on securing UF to Indexer traffic with TcpTokens.
When Splunk forwarding is secured using TLS, the attack requires compromising the certificate. As a partial mitigation and a security best practice, see Configure Splunk forwarding to use your own SSL certificates. Implementation reduces the severity to Medium.
Solution
Upgrade Splunk Enterprise Indexer 8.1 versions to 8.1.5 or later and 8.2.0 versions to 8.2.1 or later.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 8.1 | - | 8.1.4 and earlier | 8.1.5 |
| Splunk Enterprise | 8.2 | - | 8.2.0 | 8.2.1 |
The vulnerability does not impact Splunk Cloud Platform instances.
Acknowledgments
Chris Samley at GE
Changelog
2022-05-26: Added “Chris Samley at GE” to the Acknowledgments section.