Splunk Vulnerability: Critical Updates For Enterprise And Cloud
In the latest updates, CVE-2024-36985 in Splunk Enterprise poses a critical risk with remote code execution via External Lookup.
Ashish Khaitan July 5, 2024
Share on LinkedInShare on Twitter
Splunk has released a comprehensive set of security updates to address 16 vulnerabilities across its Splunk Enterprise and Cloud Platform. These updates include fixes of several Splunk vulnerabilities, including high-severity issues, emphasizing the critical nature of maintaining robust cybersecurity practices in enterprise environments.
Among the latest updates, the Splunk vulnerability CVE-2024-36985, a remote code execution (RCE) via the External Lookup in Splunk Enterprise, is one of the most critical vulnerabilities. This vulnerability involves a Remote Code Execution (RCE) risk through an external lookup mechanism in Splunk Enterprise.
Fixing Splunk Vulnerability with New Updates
Source: Splunk
This vulnerability affects versions prior to 9.0.10, 9.1.5, and 9.2.2. Attackers exploiting this flaw can execute arbitrary commands by leveraging the “copybuckets.py” script within the “splunk_archiver” application. This issue highlights the importance of upgrading to the latest Splunk versions promptly or temporarily disabling the affected application to mitigate risks.
Another significant vulnerability, CVE-2024-36984, allows authenticated users in Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 on Windows to execute arbitrary code through a serialized session payload. This exploit occurs when untrusted data is serialized via the collect SPL command, enabling attackers to execute malicious code within the payload.
“Splunk rates this vulnerability as 8.8, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. If the Splunk Enterprise instance disabled splunk_archiver, there is no impact and the severity is Informational”, says Splunk.
Comprehensive Security Measures and Recommendations
Splunk has advised users to update their installations to the latest versions to protect against these vulnerabilities effectively. Additionally, mitigating actions such as disabling the “splunk_archiver” application can provide interim protection until updates can be applied. The company emphasizes the importance of proactive security practices and prompt patch management to safeguard enterprise data and infrastructure.
In addition to the critical vulnerabilities mentioned, Splunk’s security updates also cover issues such as persistent cross-site scripting (XSS) in various endpoints, command injection, denial of service (DoS), and insecure file uploads. Each issue is addressed with specific patches or mitigation recommendations tailored to enhance system security.
While Splunk has not reported active exploitation of these vulnerabilities in the wild, the proactive release of security updates underscores their commitment to maintaining the integrity and security of their platforms. Users are strongly encouraged to implement these updates and follow recommended security practices to mitigate potential risks effectively.
Stay informed and prioritize cybersecurity measures to safeguard your Splunk deployments against emerging threats and vulnerabilities. Regular updates and vigilance are key to maintaining a secure environment in the cybersecurity domain.