Splunk Enterprise Updates Patch High-Severity Vulnerabilities

Splunk on Tuesday announced Splunk Enterprise updates that resolve multiple high-severity vulnerabilities, including security defects impacting third-party packages used by the product.

The most severe vulnerabilities are CVE-2023-22939 and CVE-2023-22935 (CVSS score of 8.1), two issues that could lead to the bypass of search processing language (SPL) safeguards for risky commands. Both flaws affect instances with Splunk Web enabled and require a high-privileged user to make a request in their browser.

CVE-2023-22934, another SPL safeguards bypass in Splunk Enterprise, requires an authenticated user to craft a saved job before a request is made in the browser.

Splunk also released patches for two high-severity cross-site scripting (XSS) vulnerabilities (CVE-2023-22932 and CVE-2023-22933) and has released additional resources to hunt for signs of malicious exploitation.

Patches were also released for multiple medium-severity vulnerabilities in Splunk Enterprise, some of which could lead to information disclosure, the sending of emails as the Splunk instance, the upload of lookup tables with unnecessary filename extensions, and server-side request forgery (SSRF).

Other patched medium-severity issues could result in the overwrite of existing RSS feeds, Splunk daemon crashes, unauthorized updates to SSG App Key Value Store collections, and in requests to third-party APIs incorrectly reverting to HTTP.

Splunk also informs users that its products are not affected by the Text4Shell (CVE-2022-42889) vulnerability in the Apache Common Text JavaScript library, which could be exploited to execute arbitrary code.

However, patches were released for multiple vulnerabilities in third-party libraries in Splunk Enterprise, the most severe of which are CVE-2021-3518 (CVSS score of 8.8) and CVE-2021-3517 (CVSS score of 8.6), two bugs in the XML documents parsing library libxml2.

The issues are described as use-after-free and out-of-bounds read flaws, respectively, and can be exploited by submitting a crafted file to be processed by a vulnerable application. Successful exploitation could impact availability, confidentiality, and integrity of applications.

Splunk also resolved CVE-2022-32212 (CVSS score of 8.1), an OS command injection in Node.js, and CVE-2022-24785 and CVE-2022-31129, a path traversal flaw and an inefficient parsing algorithm issue in Moment.js, a JavaScript library for dates parsing, formatting, manipulation, and validation.

Other third-party package bugs addressed in Splunk Enterprise this week include CVE-2021-28957 (an XSS vulnerability in python-lxml’s clean module) and CVE-2021-3537 (a NULL dereference flaw in the libxml2).

Splunk Enterprise versions 8.1.13, 8.2.10, and 9.0.4 contain patches for all the vulnerabilities above. Users are advised to update to a patched iteration as soon as possible. Additional information on the resolved issues can be found on Splunk’s security advisories page.

Related: Splunk Patches 9 High-Severity Vulnerabilities in Enterprise Product

Related: Quarterly Security Patches Released for Splunk Enterprise

Related: Critical Code Execution Vulnerability Patched in Splunk Enterprise