Splunk Authentication Token Exposure in Debug Log in Splunk Enterprise
Advisory ID: SVD-2024-0301
CVE ID: CVE-2024-29945
Published: 2024-03-27
Last Update: 2024-03-27
CVSSv3.1 Score: 7.2, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-532
Bug ID: SPL-248977
Description
In Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, the software potentially exposes authentication tokens during the token validation process. This exposure could happen when either Splunk Enterprise runs in debug mode or the JsonWebToken component has been configured to log its activity at the DEBUG logging level. Normally, Splunk Enterprise runs with debug mode and token authentication turned off, as well as the JsonWebToken process configured at the INFO logging level.
The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See Define roles on the Splunk platform with capabilities in the Splunk documentation for more information.
Solution
There are multiple solutions depending on how you have configured the Splunk Enterprise instance.
First, determine whether or not debug logging is on, either globally or for the JsonWebToken component. You must log into the Splunk Enterprise instance as an admin user or equivalent to perform these actions.
To determine the current global logging mode on the instance:
In a web browser, visit the Server Logging Settings page in Splunk Web at
/en-US/manager/system/server/logger.Review the Logging Level column on the page that loads. If every row in this column shows DEBUG as the logging level, then the Splunk Enterprise instance is in debug mode. Otherwise, it is not in debug mode.
To determine the current logging level for the
JsonWebTokenprocessor:In a web browser, search for the JsonWebToken processor configuration by visiting
/en-US/manager/system/server/logger?search=JsonWebToken.Review the Logging level column for the processor. If this row has a value of DEBUG, then the processor currently logs its activity at the DEBUG level.
See Enable debug logging for more information.
If either of these steps determines that debug logging is on, either globally or for the JsonWebToken component, then remedy the problem by performing the following tasks:
Upgrade Splunk Enterprise to versions 9.2.1, 9.1.4, 9.0.9, or higher.
Delete the following log file on the Splunk Enterprise instance:
$SPLUNK_HOME/var/log/splunk/splunkd.logLog into Splunk Web on the Splunk Enterprise instance and delete all log file events for the
JsonWebTokencomponent from the _internal index by running the following search command:
index=_internal component=JsonWebToken | delete
Note: The delete SPL command requires the can_delete role, which administrators do not receive by default. See delete for more info on the delete search command.While you are logged in, rotate any potentially exposed authentication tokens. See Manage or delete authentication tokens for more information.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.2 | 9.2.0 to 9.2.0.1 | 9.2.1 | |
| Splunk Enterprise | 9.1 | 9.1.0 to 9.1.3 | 9.1.4 | |
| Splunk Enterprise | 9.0 | 9.0.0 to 9.0.8 | 9.0.9 |
Mitigations and Workarounds
If it isn’t currently possible to upgrade to a fixed version of Splunk Enterprise, you can remedy the vulnerability by doing the following:
If the Splunk Enterprise instance runs in debug mode, turn it off. Restart the instance without using the
--debugargument.If you don’t use tokens to authenticate users on the Splunk Enterprise instance and token authentication is on, turn it off. See Enable or disable token authentication for more information.
If the JsonWebToken component is at the DEBUG logging level, raise it to the INFO level.
Log into Splunk Web on the Splunk Enterprise instance and visit the Server Logging page as described previously.
Select the JsonWebToken component, change its logging level to INFO, then select Save.
View the
$SPLUNK_HOME/etc/log.cfglogging configuration files and confirm that the JsonWebToken component is at the INFO logging level. Look for a line in the file that sayscategory.JsonWebToken=. If it equals DEBUG, raise the logging level to INFO by doing the following:Edit the
$SPLUNK_HOME/etc/log.cfgfile.Add the line
category.JsonWebToken=INFOto this file.Save the file.
Repeat Steps 4a-4c with the
log-local.cfgfile, if it exists.Restart Splunk Enterprise for the changes to
log.cfgorlog-local.cfgto take effect. Note: Confirm that you do not use the--debugflag to restart Splunk Enterprise.
Delete the following log file:
$SPLUNK_HOME/var/log/splunk/splunkd.logDelete all the Splunk Enterprise log file events from the _internal index by running the following search command:
index=_internal component=JsonWebToken | delete
Note: The delete command requires the can_delete role, which administrators do not receive by default. See delete for more info on the delete search command.While you are logged in, rotate any potentially exposed authentication tokens. See Manage or delete authentication tokens for more information.
Detections
Severity
Splunk rates this vulnerability as informational, or falling between a 6.7, Medium, and a 7.2, High. The following scenarios affect the score:
If token authentication is turned off, then the vulnerability does not affect this Splunk Enterprise instance and the advisory is Informational.
If you limit access to the _internal index to holders of the admin role only, then the CVSS score lowers to 6.7, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.
If admin users have provided lower-privilege users access to the _internal index, then the CVSS score would be 7.2, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.
Acknowledgments
Alex Napier, Splunk