Malformed ZIP file crashes Universal Forwarders and Splunk Enterprise through file monitoring input
Advisory ID: SVD-2022-0803
CVE ID: CVE-2022-37439
Last Update: 2022-08-16
CVSSv3.1 Score: 5.5, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Bug ID: TBD
In Splunk Enterprise and Universal Forwarder versions in the following table, indexing a specially crafted ZIP file using the file monitoring input can result in a crash of the application. Attempts to restart the application would result in a crash and would require manually removing the malformed file. The vulnerability does not affect Splunk Enterprise 9.0 or higher.
For Splunk Enterprise and Universal Forwarder customers, upgrade versions to 8.1.11, 220.127.116.11, or higher.
|Product||Version||Component||Affected Version||Fix Version|
|Universal Forwarder||8.1||Monitor Processor||8.1.10 and lower||8.1.11|
|Universal Forwarder||8.2||Monitor Processor||8.2.0 to 8.2.7||18.104.22.168|
|Universal Forwarder||9.0||-||Not affected||-|
|Splunk Enterprise||8.1||Monitor Processor||8.1.10 and lower||8.1.11|
|Splunk Enterprise||8.2||Monitor Processor||8.2.0 to 8.2.7||22.214.171.124|
|Splunk Enterprise||9.0||-||Not affected||-|
Mitigations and Workarounds
This search lets an operator retroactively identify potential Splunk app crashes resulting from SVD-2022-0803. It is not possible to detect the attack before a crash using this method. The provided search indicates Universal Forwarder errors from uploaded binary or compressed ZIP files, which this attack uses. Consider any results from this search for further research to determine if a malformed ZIP file caused the crash (noting that the file extension might have been altered).
Splunk rates the vulnerability as Medium. The prerequisites require local privileged access to write to a monitored directory that is not restricted to the Splunk, system, or root user. Hence, Splunk rates the vulnerability as 5.5 with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
If your Splunk Enterprise instance monitors only the default directories that the $SPLUNK_HOME/etc/system/default/inputs.conf configuration file defines, then the instance is not affected and the vulnerability is informational. In addition, the vulnerability is informational if the filesystem privileges required to write to the monitored directories are root, system or the Splunk user.
Tim Ip at Adobe and Collegiate Penetration Testing Competition (CPTC)