Sensitive Information Disclosure of Index Metrics through “mrollup” SPL Command

Advisory ID: SVD-2024-0106

CVE ID: CVE-2024-23676

Published: 2024-01-22

Last Update: 2024-01-23

CVSSv3.1 Score: 4.6, Medium

CWE: CWE-20

Bug ID: SPL-245947

Description

In Splunk versions below 9.0.8 and 9.1.3, the “mrollup” SPL command lets a low-privileged user view metrics on an index that they do not have permission to view. This vulnerability requires user interaction from a high-privileged user to exploit. See Splunk Enterprise Metrics for information on Metrics.

Solution

Upgrade Splunk Enterprise to versions 9.0.8, 9.1.3, or higher.

Splunk is actively monitoring and patching Splunk Cloud Platform instances.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise9.0Splunk Web9.0.0 to 9.0.79.0.8
Splunk Enterprise9.1Splunk Web9.1.0 to 9.1.29.1.3
Splunk Cloud-Splunk WebVersions below 9.1.2308.2009.1.2308.200

Mitigations and Workarounds

If users do not log in to Splunk Web in a distributed environment, disable Splunk Web on those instances. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on disabling Splunk Web.

If users do not need access to metrics indexes, remove authorization to search those indexes. See About configuring role-based user access for information on how to configure role-based user access.

Detections

Severity

Splunk rates this vulnerability a 4.6, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N.

Acknowledgments

Anton (therceman)