Manufacturer Splunk has to fill a lot of gaps with security patches in its planned 3-month updates. Of the 12 updates listed, Splunk 9 rates itself as Highly Dangerous. In addition, there are 2 third-party updates that are also classified as Highly Dangerous.
The list of security patches for Splunk Enterprise products is long. In addition to the vulnerabilities published months ago, there are another 12 vulnerabilities and an additional 2 vulnerabilities from third parties in the planned, quarterly patch list. Right now, administrators and CISOs should pay attention to the published list, as 9 of the 12 vulnerabilities are classified as Highly Dangerous. Many vulnerabilities with cross-site scripting are conspicuous and one even allows a DoS attack through search macros.
9 vulnerabilities rated High
Splunk itself states for its quarterly security patches: “We plan to create security patch updates and make them available via scheduled cloud releases or on-premises servicing releases for supported versions of Splunk products at the time the quarterly advisory is published. If patches cannot be backported due to technical feasibility or other reasons, we will publish mitigation measures and additional compensating controls.” Security patch updates are typically released on the first Tuesday of Splunk's fiscal quarter. The next three planned dates are: February 7, 2023, May 2, 2023 and August 1, 2023
All updates are dated November 2, 2022
- Indexing blocking over bad data sent over S2S or HEC protocols in Splunk Enterprise High CVE-2022-43572
- Remote Code Execution via Dashboard PDF Generation Component in Splunk Enterprise High CVE-2022-43571
- XML External Entity Injection via Custom View in Splunk Enterprise High CVE-2022-43570
- Persistent cross-site scripting via a data model object name in Splunk Enterprise High CVE-2022-43569
- Reflected cross-site scripting via radio template in Splunk Enterprise High CVE-2022-43568
- Remote Code Execution via Mobile Alerts feature of Splunk Secure Gateway Application High CVE-2022-43567
- Risky command backups are bypassed via search ID query in Analytics Workspace in Splunk Enterprise High CVE-2022-43566
- Risky command backups are bypassed via tstats JSON command in Splunk Enterprise High CVE-2022-43565
- Risky command fuses are bypassed via "rex" search command field names in Splunk Enterprise High CVE-2022-43563
- Persistent cross-site scripting in "Save Table" dialog in Splunk Enterprise Medium CVE-2022-43561
- Denial of Service in Splunk Enterprise by Search Macros Medium CVE-2022-43564
- Host Header Injection in Splunk Enterprise Low CVE-2022-43562
Another 2 third-party vulnerabilities
- November Third-party package updates in Splunk Enterprise High
- Splunk's response to OpenSSL CVE-2022-3602 and CVE-2022-3786 High
About Splunk
Splunk Inc. helps companies around the world turn data into action. Splunk technology was developed to examine, monitor, analyze and use data of all types and sizes as the basis for concrete actions.