SB2022081634 - Multiple vulnerabilities in Splunk Enterprise

Description

This security bulletin contains information about 2 vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2022-37438)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to the way Splunk handles users' information within the application. A remote user can create a dashboard and gain access to sensitive information, such as usernames, emails and real names of application's users.

2) Improper Certificate Validation (CVE-ID: CVE-2022-37437)

CWE-ID: CWE-295 - Improper Certificate Validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to an error, related to usage of the Ingest Actions component via the user interface. When using Ingest Actions to configure a destination that resides on Amazon Simple Storage Service (S3) in Splunk Web, TLS certificate validation is not correctly performed and tested for the destination. As a result, remote attacker can perform Man-in-the-Middle (MitM) attack.

Remediation

Install update from vendor's website.

References

• https://www.splunk.com/en_us/product-security/announcements/svd-2022-0802.html
• https://www.splunk.com/en_us/product-security/announcements/svd-2022-0801.html