Fixed a critical vulnerability of remote code execution in Splunk Enterprise

image

By providing big data monitoring and retrieval capabilities, Splunk uses Splunk Enterprise deployment servers to send configurations and content updates to various Enterprise instances, including forwarders, indexers, and Splunk search heads.

Tracked as CVE-2022-32158 (rated 9.0 on the CVSS scale), the new critical vulnerability exists because Splunk Enterprise deployment servers prior to version 9.0 allow clients to use the server to implement forwarder installation packages to other clients. The vulnerability allows an attacker to compromise the Universal Forwarder endpoint and then use it to execute arbitrary code on other endpoints connected to the deployment server.

CVE-2022-32157 has also been fixed, which appeared due to the fact that deployment servers in versions up to 9.0 allow downloading forwarder packages without authentication.

Splunk has also fixed several TLS certificate verification vulnerabilities, the use of which can lead to MitM attacks.

All of the above vulnerabilities are easily fixed by upgrading to Splunk Enterprise version 9.0 or higher. To eliminate CVE-2022-32157, you will need to additionally configure authentication for deployment servers and clients.

Start a discussion …