Indexing blockage via malformed data sent through S2S or HEC protocols in Splunk Enterprise
Advisory ID: SVD-2022-1112
CVE ID: CVE-2022-43572
Published: 2022-11-02
Last Update: 2022-11-02
CVSSv3.1 Score: 7.5, High, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
Bug ID: SPL-224974
Description
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, sending a malformed file through the Splunk-to-Splunk (S2S) or HTTP Event Collector (HEC) protocols to an indexer results in a blockage or denial-of-service preventing further indexing.
Solution
For Splunk Enterprise, upgrade versions to 8.1.12, 8.2.9, 9.0.2, or higher.
For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 8.1 | Indexing | 8.1.11 and lower | 8.1.12 |
| Splunk Enterprise | 8.2 | Indexing | 8.2.0 to 8.2.8 | 8.2.9 |
| Splunk Enterprise | 9.0 | Indexing | 9.0.0 to 9.0.1 | 9.0.2 |
| Splunk Cloud Platform | Indexing | 9.0.2209 and lower | 9.0.2209.3 |
Mitigations and Workarounds
Configure Splunk indexing and forwarding to use TLS certificates partially mitigates the vulnerability and increases the complexity of the vulnerability, which reduces the severity to Medium.
Detections
None
Severity
Splunk rates the vulnerability as High, 7.5, with a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
If you have Configured Splunk indexing and forwarding to use TLS certificates, the vulnerability requires compromise of a HEC token, a pass4symmkey, a universal forwarder or client private certificate (when enabled), or a certificate authority certificate chain. These requirements increase the complexity of the attack and prevent an attacker from exploiting the vulnerability without putting in a meaningful amount of preparation reducing the severity to Medium, 5.9 with a CVSS Vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H.