Remote Code Execution via the Splunk Secure Gateway application Mobile Alerts feature
Advisory ID: SVD-2022-1107
CVE ID: CVE-2022-43567
Published: 2022-11-02
Last Update: 2022-11-02
CVSSv3.1 Score: 8.8, High, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
Bug ID: SPL-226837
Description
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run arbitrary operating system commands remotely through the use of specially crafted requests to the mobile alerts feature in the Splunk Secure Gateway app.
Solution
For Splunk Enterprise, upgrade versions to 8.1.12, 8.2.9, 9.0.2, or higher.
For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 8.1 | Splunk Secure Gateway | 8.1.11 and lower | 8.1.12 |
| Splunk Enterprise | 8.2 | Splunk Secure Gateway | 8.2.0 to 8.2.8 | 8.2.9 |
| Splunk Enterprise | 9.0 | Splunk Secure Gateway | 9.0.0 to 9.0.1 | 9.0.2 |
| Splunk Cloud Platform | Splunk Secure Gateway | Splunk Web | 9.0.2203.4 and lower | 9.0.2205 |
Mitigations and Workarounds
The vulnerability requires access to the Splunk Secure Gateway app. Removing, disabling, or uninstalling the app or restricting access to the app to administrators remediates the vulnerability. Manage app and add-on objects
Detections
This detection search provides information on possible exploitation attempts against the Splunk Secure Gateway App Mobile Alerts feature.
Severity
Splunk rates the vulnerability as High, 8.8, with a CVSS Vectors of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability lets a remote authenticated user execute arbitrary code on the server. If you removed the Splunk Secure Gateway app or restricted access to the app to administrators, there is no impact and the severity is Informational.
Acknowledgments
Danylo Dmytriiev (DDV_UA)