Session Token Disclosure to Internal Log Files in Splunk Add-on Builder

Advisory ID: SVD-2024-0110

CVE ID: CVE-2023-46231

Published: 2024-01-30

Last Update: 2024-01-30

CVSSv3.1 Score: 8.8, High

CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-532

Bug ID: ADDON-63902

Description

In Splunk Add-on Builder versions below 4.1.4, the application writes user session tokens to internal log files.The vulnerability requires either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See Define roles on the Splunk platform with capabilities for more information.

Solution

To fully remedy the vulnerability, do the following:

  1. Upgrade Splunk Add-on Builder to version 4.1.4 or higher
  2. Delete all Splunk Add-on Builder log files located at $SPLUNK_HOME/var/log/splunk/ including the following:
    • splunk_app_addon-builder_default_metric_events.log
    • splunk_app_addon-builder_ta_builder_validation.log
    • splunk_app_addon-builder_ta_builder.log
    • splunk_app_addon-builder_validation_engine.log
  3. Delete all Splunk Add-on Builder log file events by running the following command:*
    index=_* sourcetype="splunk:tabuilder:log" | delete
  4. Restart Splunk Enterprise*

*Note: Restarting Splunk Enterprise invalidates all session tokens.

**Note: The delete command requires the can_delete role, which administrators do not receive by default. See delete for more info on the delete search command.

The solution applies to the Splunk Add-on Builder only. Add-ons that the Splunk Add-on Builder generates are not directly affected and do not require updating or editing.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Add-on Builder-Add-on BuilderBelow 4.1.44.1.4

Mitigations and Workarounds

N/A

Severity

Splunk rates this vulnerability as a 8.8, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H.

The vulnerability requires either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See Define roles on the Splunk platform with capabilities for more information.

Acknowledgments

Vikram Ashtaputre, Splunk