Sensitive information disclosure in REST_Calls logging channel
Advisory ID: SVD-2024-1008
CVE ID: CVE-2024-45738
Published: 2024-10-14
Last Update: 2024-10-14
CVSSv3.1 Score: 4.9, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-200
Bug ID: VULN-15407
Description
In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6, the software potentially exposes sensitive HTTP parameters to the _internal index. This exposure could happen if you configure the Splunk Enterprise REST_Calls log channel at the DEBUG logging level.
The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See Define roles on the Splunk platform with capabilities in the Splunk documentation for more information.
Solution
There are multiple solutions depending on how you have configured the Splunk Enterprise instance REST_Calls log channel.
First, determine whether or not debug logging is on for the REST_Calls log channel. You must log into the Splunk Enterprise instance as an admin user or equivalent to perform these actions.To determine the log channel logging mode on the instance:
1. In a web browser, visit the Server Logging Settings page in Splunk Web at /en-US/manager/system/server/logger.
2. Review the Logging Level column on the page that loads. If the REST_Calls row in this column shows DEBUG as the logging level, then the Splunk Enterprise REST_Call log channel is in debug mode. Otherwise, it is not in debug mode.
See Enable debug logging for more information.
If the previous steps determine that debug logging is enabled in that log channel, then remedy the problem by performing the following tasks:
1. Upgrade Splunk Enterprise to versions 9.3.1, 9.2.3, 9.1.6, or higher.
2. Delete the following log file on the Splunk Enterprise instance: $SPLUNK_HOME/var/log/splunk/splunkd.log
3. Delete all the Splunk Enterprise log file events for the REST_Calls component from the _internal index by running the following search command:
index=_internal component=REST_Calls | delete
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.3 | splunkd | 9.3.0 | 9.3.1 |
| Splunk Enterprise | 9.2 | splunkd | 9.2.0 to 9.2.2 | 9.2.3 |
| Splunk Enterprise | 9.1 | splunkd | 9.1.0 to 9.1.5 | 9.1.6 |
Mitigations and Workarounds
If it isn’t currently possible to upgrade to a fixed version of Splunk Enterprise, you can remedy the vulnerability by doing the following:
1. Configure the REST_Calls log channel to a logging level that is less verbose than DEBUG.
2. Delete the following log file on the Splunk Enterprise instance: $SPLUNK_HOME/var/log/splunk/splunkd.log
3. Delete all of the Splunk Enterprise log file events for the REST_Calls component from the _internal index by running the following search command:
index=_internal component=REST_Calls | delete
Detections
Severity
Splunk rates this vulnerability as a 4.9, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N.
Acknowledgments
Eric McGinnis, Splunk
Rod Soto, Splunk