Remote Code Execution via the Splunk Secure Gateway application Mobile Alerts feature
Advisory ID: SVD-2022-1107
CVE ID: CVE-2022-43567
Last Update: 2022-11-02
CVSSv3.1 Score: 8.8, High, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Bug ID: SPL-226837
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run arbitrary operating system commands remotely through the use of specially crafted requests to the mobile alerts feature in the Splunk Secure Gateway app.
For Splunk Enterprise, upgrade versions to 8.1.12, 8.2.9, 9.0.2, or higher.
For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.
|Product||Version||Component||Affected Version||Fix Version|
|Splunk Enterprise||8.1||Splunk Secure Gateway||8.1.11 and lower||8.1.12|
|Splunk Enterprise||8.2||Splunk Secure Gateway||8.2.0 to 8.2.8||8.2.9|
|Splunk Enterprise||9.0||Splunk Secure Gateway||9.0.0 to 9.0.1||9.0.2|
|Splunk Cloud Platform||Splunk Secure Gateway||Splunk Web||9.0.2203.4 and lower||9.0.2205|
Mitigations and Workarounds
The vulnerability requires access to the Splunk Secure Gateway app. Removing, disabling, or uninstalling the app or restricting access to the app to administrators remediates the vulnerability. Manage app and add-on objects
This detection search provides information on possible exploitation attempts against the Splunk Secure Gateway App Mobile Alerts feature.
Splunk rates the vulnerability as High, 8.8, with a CVSS Vectors of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability lets a remote authenticated user execute arbitrary code on the server. If you removed the Splunk Secure Gateway app or restricted access to the app to administrators, there is no impact and the severity is Informational.
Danylo Dmytriiev (DDV_UA)