Sensitive Information Disclosure to Internal Log Files in Splunk Add-on Builder
Advisory ID: SVD-2024-0111
CVE ID: CVE-2023-46230
Published: 2024-01-30
Last Update: 2024-01-30
CVSSv3.1 Score: 8.2, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L
CWE: CWE-532
Bug ID: ADDON-63640
Description
In Splunk Add-on Builder versions below 4.1.4, the add-on builder writes sensitive information to internal log files. When you edit custom app and add-on properties, the app writes potentially sensitive data to its log files, including the following:
- Proxy credentials
- Global Account credentials
- User-defined password fields under Data Input Parameters
- User defined Password fields under Add-on Setup Parameters
The vulnerability requires either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. See Define roles on the Splunk platform with capabilities for more information.
The application logs sensitive values used by custom apps and add-ons. Within the scope of Add-on Builder, the confidentiality impact is High. However, the Integrity and Availability rating reflects a potentially unknown impact. Where possible, reevaluate the potential impact based on the permissions of the third-party credentials and passwords you use.
Solution
To fully remedy the vulnerability, do the following:
- Upgrade Splunk Add-on Builder to version 4.1.4 or higher
- Delete all Splunk Add-on Builder log files located at $SPLUNK_HOME/var/log/splunk/ including the following:
- splunk_app_addon-builder_default_metric_events.log
- splunk_app_addon-builder_ta_builder_validation.log
- splunk_app_addon-builder_ta_builder.log
- splunk_app_addon-builder_validation_engine.log
- Delete all Splunk Add-on Builder log file events by running the following command:*
index=_* sourcetype="splunk:tabuilder:log" | delete
- Restart Splunk Enterprise
- Rotate and change all credentials, tokens, and sensitive information stored in Data Input Parameters and Add-on Setup Parameters for Modular inputs, including the following:
- Proxy credentials
- Global Account credentials
- User-defined Password fields under Data Input Parameters
- User-defined Password fields under Add-on Setup Parameters
*Note: The delete command requires the can_delete role, which administrators do not receive by default. See delete for more info on the delete search command.
The solution applies to the Splunk Add-on Builder only. Add-ons that the Splunk Add-on Builder generates are not directly affected and do not require updating or editing.
Product Status
Product | Version | Component | Affected Version | Fix Version |
---|---|---|---|---|
Splunk Add-on Builder | - | Add-on Builder | Below 4.1.4 | 4.1.4 |
Mitigations and Workarounds
N/A
Severity
Splunk rates this vulnerability as a 8.2, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L.
The vulnerability requires either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See Define roles on the Splunk platform with capabilities for more information.
The application logs sensitive values used by custom apps and add-ons. Within the scope of Add-on Builder, the confidentiality impact is High. However, the Integrity and Availability rating reflects a potentially unknown impact. Where possible, reevaluate the potential impact based on the permissions of the third-party credentials and passwords you use.
Acknowledgments
Vikram Ashtaputre, Splunk