Modular Input REST API Requests Connect via HTTP after Certificate Validation Failure in Splunk Add-on Builder and Splunk CloudConnect SDK
Advisory ID: SVD-2023-0213
CVE ID: CVE-2023-22943
Published: 2023-02-14
Last Update: 2023-02-14
CVSSv3.1 Score: 4.8, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE: CWE-636
Bug ID: ADDON-58725
DescriptionPermalink
In Splunk Add-on Builder (AoB) versions below 4.1.2 and the Splunk CloudConnect SDK versions below 3.1.3, requests to third-party APIs through the REST API Modular Input incorrectly revert to using HTTP to connect after a failure to connect over HTTPS occurs. The vulnerability affects AoB and apps that AoB generates when using the REST API Modular Input functionality through its user interface. The vulnerability also potentially affects third-party apps and add-ons that call cloudconnectlib.splunktacollectorlib.cloud_connect_mod_input directly.
SolutionPermalink
For third-party apps and add-ons that include the Splunk CloudConnect SDK, upgrade the library to 3.1.3 or higher.
For customers that use AoB for custom apps, perform the following steps to update your app or add-on:
- Upgrade AoB to version 4.1.2 or higher. See Install the Add-on Builder User Guide for more information.
- Use AoB to edit and save the affected app. See Configure data collection using a REST API call for more information. It isn’t necessary to make changes to the app prior to saving it.
- Restart Splunk Enterprise.
If the custom app or add-on is also installed on instances without AoB, you must package the upgraded custom app or add-on, then install it on the instances. See Validate and Package and Package apps for more information.
For affected apps and add-ons that are already on SplunkBase, third-party developers must publish an updated version of the app or add-on to SplunkBase. For more information, see Publish apps for Splunk Cloud Platform or Splunk Enterprise to Splunkbase. Cloud-vetted apps are subject to the Cloud Vetting Change Policy.
Note: If the REST API Modular Input connects to a self-signed URL, that connection will fail. Where applicable, use a certificate authority (CA)-signed certificate for your app or add-on. As an alternative, to fix this error on apps and add-ons that are not on SplunkBase, overwrite the certificate at $SPLUNK_HOME/etc/apps/<ta_name>/bin/<ta_name>/aob_py3/certifi/cacert.pem with the self-signed certificate. You cannot overwrite this certificate on apps or add-ons that you publish to SplunkBase.
Product StatusPermalink
Product | Version | Component | Affected Version | Fix Version |
---|---|---|---|---|
Splunk Add-on Builder | 4.1 | cloudconnectlib | 4.1.1 and lower | 4.1.2 |
Splunk CloudConnect SDK | 3.1 | - | 3.1.2 and lower | 3.1.3 |
Mitigations and WorkaroundsPermalink
As an alternative to updating your custom app, if the app does not use the REST API Modular Input functionality, delete the affected file at $SPLUNK_HOME/etc/apps/<ta_name>/bin/<ta_name>/aob_py3/cloudconnectlib/core/http.py. If the app uses the functionality, update the file or patch it with the file changes that appear in this pull request on the Splunk GitHub site.
DetectionsPermalink
None
SeverityPermalink
Splunk rated the vulnerability as Medium, 4.8, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N. The impact of the vulnerability might vary for each app or add-on. Where applicable, review your app or add-on and rate its vulnerability based on whether it uses the vulnerable functionality and what data the modular input sends or receives.
AcknowledgmentsPermalink
Chris Green