Modular Input REST API Requests Connect via HTTP after Certificate Validation Failure in Splunk Add-on Builder and Splunk CloudConnect SDK

Advisory ID: SVD-2023-0213

CVE ID: CVE-2023-22943

Published: 2023-02-14

Last Update: 2023-02-14

CVSSv3.1 Score: 4.8, Medium

CWE: CWE-636

Bug ID: ADDON-58725

DescriptionPermalink

In Splunk Add-on Builder (AoB) versions below 4.1.2 and the Splunk CloudConnect SDK versions below 3.1.3, requests to third-party APIs through the REST API Modular Input incorrectly revert to using HTTP to connect after a failure to connect over HTTPS occurs. The vulnerability affects AoB and apps that AoB generates when using the REST API Modular Input functionality through its user interface. The vulnerability also potentially affects third-party apps and add-ons that call cloudconnectlib.splunktacollectorlib.cloud_connect_mod_input directly.

SolutionPermalink

For third-party apps and add-ons that include the Splunk CloudConnect SDK, upgrade the library to 3.1.3 or higher.

For customers that use AoB for custom apps, perform the following steps to update your app or add-on:

  1. Upgrade AoB to version 4.1.2 or higher. See Install the Add-on Builder User Guide for more information.
  2. Use AoB to edit and save the affected app. See Configure data collection using a REST API call for more information. It isn’t necessary to make changes to the app prior to saving it.
  3. Restart Splunk Enterprise.

If the custom app or add-on is also installed on instances without AoB, you must package the upgraded custom app or add-on, then install it on the instances. See Validate and Package and Package apps for more information.

For affected apps and add-ons that are already on SplunkBase, third-party developers must publish an updated version of the app or add-on to SplunkBase. For more information, see Publish apps for Splunk Cloud Platform or Splunk Enterprise to Splunkbase. Cloud-vetted apps are subject to the Cloud Vetting Change Policy.

Note: If the REST API Modular Input connects to a self-signed URL, that connection will fail. Where applicable, use a certificate authority (CA)-signed certificate for your app or add-on. As an alternative, to fix this error on apps and add-ons that are not on SplunkBase, overwrite the certificate at $SPLUNK_HOME/etc/apps/<ta_name>/bin/<ta_name>/aob_py3/certifi/cacert.pem with the self-signed certificate. You cannot overwrite this certificate on apps or add-ons that you publish to SplunkBase.

Product StatusPermalink

ProductVersionComponentAffected VersionFix Version
Splunk Add-on Builder4.1cloudconnectlib4.1.1 and lower4.1.2
Splunk CloudConnect SDK3.1-3.1.2 and lower3.1.3

Mitigations and WorkaroundsPermalink

As an alternative to updating your custom app, if the app does not use the REST API Modular Input functionality, delete the affected file at $SPLUNK_HOME/etc/apps/<ta_name>/bin/<ta_name>/aob_py3/cloudconnectlib/core/http.py. If the app uses the functionality, update the file or patch it with the file changes that appear in this pull request on the Splunk GitHub site.

DetectionsPermalink

None

SeverityPermalink

Splunk rated the vulnerability as Medium, 4.8, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N. The impact of the vulnerability might vary for each app or add-on. Where applicable, review your app or add-on and rate its vulnerability based on whether it uses the vulnerable functionality and what data the modular input sends or receives.

AcknowledgmentsPermalink

Chris Green