Denial of Service in Splunk Enterprise through search macros
Advisory ID: SVD-2022-1104
CVE ID: CVE-2022-43564
Published: 2022-11-02
Last Update: 2022-11-02
CVSSv3.1 Score: 4.9, Medium, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
Bug ID: SPL-220964
DescriptionPermalink
In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a remote user who can create search macros and schedule search reports can cause a denial of service through the use of specially crafted search macros.
SolutionPermalink
For Splunk Enterprise, upgrade versions to 8.1.12, 8.2.9, or higher.
For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.
Product StatusPermalink
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 8.1 | REST API | 8.1.11 and lower | 8.1.12 |
| Splunk Enterprise | 8.2 | REST API | 8.2.0 to 8.2.8 | 8.2.9 |
| Splunk Enterprise | 9.0 | Not affected | ||
| Splunk Cloud Platform | REST API | 9.0.2203.4 and lower | 9.0.2205 |
Mitigations and WorkaroundsPermalink
You can use a proxy to filter out requests to the ‘/services/search/parser’ REST endpoint that include the option ‘ignore_parse_error=t’. You can either block these requests entirely or pass them through with that option removed. Other requests to the same endpoint do not cause the denial of service.
DetectionsPermalink
None
SeverityPermalink
Splunk rates the vulnerability as Medium, 4.9, with a CVSS Vectors of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H