Indexing blockage via malformed data sent through S2S or HEC protocols in Splunk Enterprise
Advisory ID: SVD-2022-1112
CVE ID: CVE-2022-43572
Last Update: 2022-11-02
CVSSv3.1 Score: 7.5, High, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Bug ID: SPL-224974
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, sending a malformed file through the Splunk-to-Splunk (S2S) or HTTP Event Collector (HEC) protocols to an indexer results in a blockage or denial-of-service preventing further indexing.
For Splunk Enterprise, upgrade versions to 8.1.12, 8.2.9, 9.0.2, or higher.
For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.
|Product||Version||Component||Affected Version||Fix Version|
|Splunk Enterprise||8.1||Indexing||8.1.11 and lower||8.1.12|
|Splunk Enterprise||8.2||Indexing||8.2.0 to 8.2.8||8.2.9|
|Splunk Enterprise||9.0||Indexing||9.0.0 to 9.0.1||9.0.2|
|Splunk Cloud Platform||Indexing||9.0.2209 and lower||9.0.2209.3|
Mitigations and Workarounds
Configure Splunk indexing and forwarding to use TLS certificates partially mitigates the vulnerability and increases the complexity of the vulnerability, which reduces the severity to Medium.
Splunk rates the vulnerability as High, 7.5, with a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
If you have Configured Splunk indexing and forwarding to use TLS certificates, the vulnerability requires compromise of a HEC token, a pass4symmkey, a universal forwarder or client private certificate (when enabled), or a certificate authority certificate chain. These requirements increase the complexity of the attack and prevent an attacker from exploiting the vulnerability without putting in a meaningful amount of preparation reducing the severity to Medium, 5.9 with a CVSS Vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H.