Apps and add-ons that include their own HTTP libraries are not affected. Python 3 client libraries now verify server certificates by default and use the appropriate CA certificate stores for each library. The httplib and urllib Python libraries that Splunk shipped with Splunk Enterprise did not validate certificates using the certificate authority (CA) certificate stores by default in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before. For Splunk Enterprise, update to Splunk Enterprise version 9.0 and Configure TLS host name validation for Splunk-to-Splunk communications () to enable the remediation. However, an attacker with administrator credentials could add a peer without a valid certificate and connections from misconfigured nodes without valid certificates did not fail by default. Splunk peer communications configured properly with valid certificates were not vulnerable. Splunk Enterprise peers in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before did not validate the TLS certificates during Splunk-to-Splunk communications by default. Note that the attack is browser-based and an attacker cannot exploit it at will. See New capabilities can limit access to some custom and potentially risky commands () for more information. The result bypasses SPL safeguards for risky commands. Published: J1:15:09 PM -0400Äashboards in Splunk Enterprise versions before 9.0 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request. See Configure universal forwarder management security () for more information on disabling the remote management services. If management services are not required in versions before 9.0, set disableDefaultPort = true in nf OR allowRemoteLogin = never in nf OR mgmtHostPort = localhost in web.conf. In 9.0, the universal forwarder now binds the management port to localhost preventing remote logins by default. If exposed, we recommend each customer assess the potential severity specific to your environment. When not required, it introduces a potential exposure, but it is not a vulnerability. In universal forwarder versions before 9.0, management services are available remotely by default. Hence, Splunk rates the complexity of the attack as High. The issue requires conditions beyond the control of a potential bad actor such as a machine-in-the-middle attack. At the time of publishing, we have no evidence of exploitation of this vulnerability by external parties. The vulnerability does not affect the Splunk Cloud Platform. After updating to version 9.0, see Configure TLS host name validation for the Splunk CLI to enable the remediation. In Splunk Enterprise and Universal Forwarder versions before 9.0, the Splunk command-line interface (CLI) did not validate TLS certificates while connecting to a remote Splunk platform instance by default. Though the vulnerability does not directly affect Universal Forwarders, remediation requires updating all Universal Forwarders that the deployment server manages to version 9.0 or higher prior to enabling the remediation. Once enabled, deployment servers can manage only Universal Forwarder versions 9.0 and higher. Remediation requires you to update the deployment server to version 9.0 and Configure authentication for deployment servers and clients (). Splunk Enterprise deployment servers in versions before 9.0 allow unauthenticated downloading of forwarder bundles. An attacker that compromised a Universal Forwarder endpoint could use the vulnerability to execute arbitrary code on all other Universal Forwarder endpoints subscribed to the deployment server. Splunk Enterprise deployment servers in versions before 8.1.10.1, 8.2.6.1, and 9.0 let clients deploy forwarder bundles to other deployment clients through the deployment server.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |