Improperly Formatted ‘INGEST_EVAL’ Parameter Crashes Splunk Daemon
Advisory ID: SVD-2023-0211
CVE ID: CVE-2023-22941
Last Update: 2023-02-14
CVSSv3.1 Score: 6.5, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Bug ID: SPL-232645
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, an improperly-formatted ‘INGEST_EVAL’ parameter in a Field Transformation crashes the Splunk daemon (splunkd).
For Splunk Enterprise, upgrade versions to 8.1.13, 8.2.10, 9.0.4, or higher.
For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.
|Product||Version||Component||Affected Version||Fix Version|
|Splunk Enterprise||8.1||Splunk Web||8.1.12 and lower||8.1.13|
|Splunk Enterprise||8.2||Splunk Web||8.2.0 to 8.2.9||8.2.10|
|Splunk Enterprise||9.0||Splunk Web||9.0.0 to 9.0.3||9.0.4|
|Splunk Cloud Platform||-||Splunk Web||9.0.2209 and lower||9.0.2212|
Mitigations and Workarounds
This hunting search provides information on who executed the crashing command, and when and how often the command was executed.
Splunk rated the vulnerability as Medium, 6.5, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability requires compromising a user account with the capability to create or edit a Field transformation or run the ‘ingestpreview’ command via Search.
James Ervin, Splunk