Multiple High-Severity Vulnerabilities Patched in Splunk Enterprise
Take action: Patching an enterprise system like a SIEM is never an easy task. You will need to test the patch, back up data, plan for recovery if something fails and schedule the patch when it least affects log collection. Fortunately, these patches are not critical so you can plan this for the next several sprints/weeks. Just don't ignore the need to patch.
Learn More
Splunk has released security updates for Splunk Enterprise, versions 8.1.14, 8.2.11, and 9.0.5 addressing multiple high-severity vulnerabilities, including some that affect third-party packages used by the product:
- CVE-2023-32707 - being the most critical of all - allows low-privileged users with the 'edit_user' capability to escalate their privileges to administrator by exploiting a specially crafted web request. This issue arises because the 'edit_user' capability does not adhere to the 'grantableRoles' setting in the authorize.conf configuration file, which should prevent such privilege escalation.
- CVE-2023-32706, is a denial-of-service (DoS) flaw that affects the Splunk daemon. It occurs when an incorrectly configured XML parser receives manipulated messages within SAML authentication. The XML parser, due to recursive references and entity expansion, can consume excessive memory resources on the machine, resulting in the crash or termination of the daemon process.
- CVE-2023-32708, a high-severity vulnerability involving HTTP response splitting. This issue enables a low-privileged user to access other REST endpoints on the system and view restricted content.
Splunk has also resolved numerous severe issues in third-party packages utilized by Splunk Enterprise, including Libxml2, OpenSSL, Curl, Libarchive, SQLite, and Go. Some of these vulnerabilities have been publicly known for over four years.
