Remote Code Execution (RCE) due to insecure session storage configuration in Splunk Enterprise on Windows
Advisory ID: SVD-2024-1003
CVE ID: CVE-2024-45733
Published: 2024-10-14
Last Update: 2024-10-14
CVSSv3.1 Score: 8.8, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
Bug ID: VULN-16990
Description
In Splunk Enterprise for Windows versions below 9.2.3 and 9.1.6, a low-privileged user that does not hold the “admin” or “power” Splunk roles could perform a Remote Code Execution (RCE) due to insecure session storage configuration.
Solution
Upgrade Splunk Enterprise to versions 9.3.0, 9.2.3, and 9.1.6, or higher.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.3 | Splunk Web | Not affected | 9.3.0 |
| Splunk Enterprise | 9.2 | Splunk Web | 9.2.0 to 9.2.2 | 9.2.3 |
| Splunk Enterprise | 9.1 | Splunk Web | 9.1.0 to 9.1.5 | 9.1.6 |
Mitigations and Workarounds
If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file in the Splunk documentation for more information on disabling Splunk Web.
Detections
Severity
Splunk rates this vulnerability as 8.8, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
If the Splunk Enterprise instance does not run on Windows, there should be no impact and the severity would be Informational.
If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be Informational.
Acknowledgments
Alex Hordijk