July 2, 2024 at 09:22AM
Splunk announced patches for 16 vulnerabilities in Splunk Enterprise and Cloud Platform, including six high-severity bugs. The vulnerabilities include remote code execution flaws, command injection flaw, path traversal, and denial-of-service. Splunk also addressed medium-severity flaws. No mention of exploitation in the wild was made. Additional information is available on Splunk’s security advisories page.
From the meeting notes, it is clear that Splunk announced patches for 16 vulnerabilities in Splunk Enterprise and Cloud Platform. The patches include fixes for six high-severity bugs, three of which are remote code execution flaws requiring authentication for successful exploitation.
One of the RCE vulnerabilities, tracked as CVE-2024-36985, can be exploited by a low-privileged user through a lookup that likely references the ‘splunk_archiver’ application. This issue affects Splunk Enterprise versions 9.2.x, 9.1.x, and 9.0.x. The vulnerability is addressed in Splunk Enterprise versions 9.2.2, 9.1.5, and 9.0.10, and can also be mitigated by disabling the ‘splunk_archiver’ application.
Another RCE bug, tracked as CVE-2024-36984, affects Splunk Enterprise for Windows and allows an authenticated attacker to execute a crafted query to serialize untrusted data and execute arbitrary code. This exploit requires the use of the collect SPL command, and the vulnerability is mitigated in the patched versions.
The third RCE vulnerability affects the dashboard PDF generation component in the Enterprise and Cloud Platform products, due to a vulnerable version of the ReportLab Toolkit (v3.6.1) Python library.
In addition to the RCE flaws, Splunk also patched a high-severity command injection flaw that could allow an authenticated user to create an external lookup calling to a legacy internal function and insert code in the Splunk platform’s installation directory.
The remaining high-severity bugs include a path traversal in Splunk Enterprise on Windows and a denial-of-service in the Enterprise and Cloud Platform products. The company reported that it has no evidence of these vulnerabilities being exploited in the wild.
Moreover, Splunk announced patches for nearly two dozen issues in third-party packages in Splunk Enterprise, and notified users of Splunk Enterprise on Linux and Universal Forwarder on Solaris about incorrectly compiled cryptographic library for OpenSSL in certain versions and architectures.
For additional details, you can find more information on Splunk’s security advisories page.