Cross-Site Request Forgery in the ‘ssg/kvstore_client’ REST Endpoint in Splunk Enterprise
Advisory ID: SVD-2023-0212
CVE ID: CVE-2023-22942
Published: 2023-02-14
Last Update: 2023-02-14
CVSSv3.1 Score: 5.4, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
CWE: CWE-352
Bug ID: SPL-232619
Description
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a cross-site request forgery in the Splunk Secure Gateway (SSG) app in the ‘kvstore_client’ REST endpoint lets a potential attacker update SSG App Key Value Store (KV store) collections using an HTTP GET request. SSG is a Splunk-built app that comes with Splunk Enterprise. The vulnerability affects instances with SSG and Splunk Web enabled.
Solution
For Splunk Enterprise, upgrade versions to 8.1.13, 8.2.10, 9.0.4, or higher.
For Splunk Cloud Platform, Splunk is actively patching the Splunk Secure Gateway app and monitoring the Splunk Cloud instances.
Product Status
Product | Version | Component | Affected Version | Fix Version |
---|---|---|---|---|
Splunk Enterprise | 8.1 | Splunk Web | 8.1.12 and lower | 8.1.13 |
Splunk Enterprise | 8.2 | Splunk Web | 8.2.0 to 8.2.9 | 8.2.10 |
Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.3 | 9.0.4 |
Mitigations and Workarounds
If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on disabling Splunk Web.
Splunk Secure Gateway is a Splunk-built app that comes with Splunk Enterprise. If the Splunk instance does not use the SSG functionality, disable or delete the app. See Manage app and add-on objects for more information.
The SSG app is not available for download or direct update through Splunkbase.
Detections
This hunting search provides information on REST method and post data that might reveal exploitation of this vulnerability.
Severity
Splunk rated the vulnerability as Medium, 5.4, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L. The impact endpoint has limited functionality to edit minor configurations and disable minor functionality.
If the Splunk Enterprise instance does not run Splunk Web, there is no impact and the severity is Informational. If the Splunk Enterprise instance disabled or removed the SSG, there is no impact and the severity is Informational.
Acknowledgments
Anton (therceman)