Technology company Splunk released security updates to address 16 vulnerabilities in Splunk Enterprise and Cloud Platform.
Technology company Splunk addressed 16 vulnerabilities in Splunk Enterprise and Cloud Platform, including four high-severity flaws.
The vulnerability CVE-2024-36985 is a Remote Code Execution (RCE) through an external lookup due to “copybuckets.py“ script in the “splunk_archiver“ application in Splunk Enterprise.
“In Splunk Enterprise versions below 9.0.10, 9.1.5, and 9.2.2, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could cause a Remote Code Execution through an external lookup that likely references the “splunk_archiver“ application.” reads the advisory. “The “splunk_archiver“ application likely contains a script called “copybuckets.py“ that itself references a file called “erp_launcher.py“, which would likely execute a script called “sudobash. The “sudobash“ script does not perform any input checking. Therefore it runs a bash shell with arguments supplied by the “erp_launcher.py“ file. This can lead to an RCE.”
Splunk Enterprise versions 9.2.2, 9.1.5, and 9.0.10, or higher address the issue, the company also recommends disabling the “splunk_archiver“ application to temporarily mitigate the issue.
The company addressed another high-serverity bug, tracked as CVE-2024-36984, which is a Remote Code Execution through Serialized Session Payload in Splunk Enterprise on Windows.
“In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 on Windows, an authenticated user could execute a specially crafted query that they could then use to serialize untrusted data. The attacker could use the query to execute arbitrary code.” reads the advisory. “The exploit requires the use of the collect SPL command which writes a file within the Splunk Enterprise installation. The attacker could then use this file to submit a serialized payload that could result in execution of code within the payload.”
Splunk Enterprise versions 9.2.2, 9.1.5, and 9.0.10, or higher address the issue.
If users do not log in to Splunk Web on indexers in a distributed environment, disabling Splunk Web on those indexers can mitigate the issue.
Below is the list of the addressed flaws:
| SVD | Date | Title | Severity | CVE |
|---|---|---|---|---|
| SVD-2024-0718 | 2024-07-01 | Third-Party Package Updates in Splunk Enterprise – July 2024 | High | |
| SVD-2024-0717 | 2024-07-01 | Persistent Cross-site Scripting (XSS) in conf-web/settings REST endpoint | Medium | CVE-2024-36997 |
| SVD-2024-0716 | 2024-07-01 | Information Disclosure of user names | Medium | CVE-2024-36996 |
| SVD-2024-0715 | 2024-07-01 | Low-privileged user could create experimental items | Medium | CVE-2024-36995 |
| SVD-2024-0714 | 2024-07-01 | Persistent Cross-site Scripting (XSS) in Dashboard Elements | Medium | CVE-2024-36994 |
| SVD-2024-0713 | 2024-07-01 | Persistent Cross-site Scripting (XSS) in Web Bulletin | Medium | CVE-2024-36993 |
| SVD-2024-0712 | 2024-07-01 | Persistent Cross-site Scripting (XSS) in Dashboard Elements | Medium | CVE-2024-36992 |
| SVD-2024-0711 | 2024-07-01 | Path Traversal on the “/modules/messaging/“ endpoint in Splunk Enterprise on Windows | High | CVE-2024-36991 |
| SVD-2024-0710 | 2024-07-01 | Denial of Service (DoS) on the datamodel/web REST endpoint | Medium | CVE-2024-36990 |
| SVD-2024-0709 | 2024-07-01 | Low-privileged user could create notifications in Splunk Web Bulletin Messages | Medium | CVE-2024-36989 |
| SVD-2024-0708 | 2024-07-01 | OpenSSL crypto library (libcrypto.so) incorrectly compiled with stack execution bit set in Splunk Enterprise and Universal Forwarder on certain operating systems | Informational | |
| SVD-2024-0707 | 2024-07-01 | Insecure File Upload in the indexing/preview REST endpoint | Medium | CVE-2024-36987 |
| SVD-2024-0706 | 2024-07-01 | Risky command safeguards bypass through Search ID query in Analytics Workspace | Medium | CVE-2024-36986 |
| SVD-2024-0705 | 2024-07-01 | Remote Code Execution (RCE) through an external lookup due to “copybuckets.py“ script in the “splunk_archiver“ application in Splunk Enterprise | High | CVE-2024-36985 |
| SVD-2024-0704 | 2024-07-01 | Remote Code Execution through Serialized Session Payload in Splunk Enterprise on Windows | High | CVE-2024-36984 |
| SVD-2024-0703 | 2024-07-01 | Command Injection using External Lookups | High | CVE-2024-36983 |
| SVD-2024-0702 | 2024-07-01 | Denial of Service through null pointer reference in “cluster/config” REST endpoint | High | CVE-2024-36982 |
| SVD-2024-0701 | 2024-07-01 | Remote Code Execution through dashboard PDF generation component | High |
The company did not reveal if vulnerabilities were actively exploited in the wild.
Pierluigi Paganini
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, RCE)
