Indexing blockage via malformed data sent through S2S or HEC protocols in Splunk Enterprise

Advisory ID: SVD-2022-1112

CVE ID: CVE-2022-43572

Published: 2022-11-02

Last Update: 2022-11-02

CVSSv3.1 Score: 7.5, High, High

CWE: CWE-400

Bug ID: SPL-224974

Description

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, sending a malformed file through the Splunk-to-Splunk (S2S) or HTTP Event Collector (HEC) protocols to an indexer results in a blockage or denial-of-service preventing further indexing.

Solution

For Splunk Enterprise, upgrade versions to 8.1.12, 8.2.9, 9.0.2, or higher.

For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise8.1Indexing8.1.11 and lower8.1.12
Splunk Enterprise8.2Indexing8.2.0 to 8.2.88.2.9
Splunk Enterprise9.0Indexing9.0.0 to 9.0.19.0.2
Splunk Cloud PlatformIndexing9.0.2209 and lower9.0.2209.3

Mitigations and Workarounds

Configure Splunk indexing and forwarding to use TLS certificates partially mitigates the vulnerability and increases the complexity of the vulnerability, which reduces the severity to Medium.

Detections

None

Severity

Splunk rates the vulnerability as High, 7.5, with a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

If you have Configured Splunk indexing and forwarding to use TLS certificates, the vulnerability requires compromise of a HEC token, a pass4symmkey, a universal forwarder or client private certificate (when enabled), or a certificate authority certificate chain. These requirements increase the complexity of the attack and prevent an attacker from exploiting the vulnerability without putting in a meaningful amount of preparation reducing the severity to Medium, 5.9 with a CVSS Vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H.