CINXE.COM
SVD-2022-0606 | Splunk Vulnerability Disclosure
<!doctype html><html lang="en" class="no-js"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title> SVD-2022-0606 | Splunk Vulnerability Disclosure</title><meta property="og:site_name" content="Splunk Vulnerability Disclosure"><meta property="og:site_description" content="Splunk Vulnerability Disclosure"><meta property="og:title" content="Splunk Enterprise and Universal Forwarder CLI connections lacked TLS certificate validation"><meta property="og:description" content=""><meta property="og:locale" content="en-US"><meta property="og:url" content=""><meta property="og:image" content="/assets/img/logo_color.jpg"><link rel="shortcut icon" type="image/x-icon" href="/assets/img/favicon.png"/><link rel="stylesheet" href="/assets/css/datatables.css"><link rel="stylesheet" href="/assets/css/main.css"><link rel="stylesheet" href="/assets/css/fontawesome-free-6.2.0.css"> <script src="/assets/js/jquery-3.7.1.js"></script> <script src="/assets/js/jquery.greedy-navigation.js"></script> <script src="/assets/js/datatables.js"></script> <script src="/assets/js/main.js"></script></head><body class="layout--advisory"><div class="masthead"><div class="masthead__inner-wrap"><div class="masthead__menu"><nav class="greedy-nav"> <a class="site-logo" href="https://www.splunk.com/"><img src="/assets/img/logo.svg" alt=" "></a><ul class="visible-links"><li class="advisory-hide-on-mobile masthead__menu-item"> <a href="/" class="advisory-link">Home</a></li><li class="advisory-hide-on-mobile masthead__menu-item"> <a href="/report" class="advisory-link">Report a Vulnerability</a></li><li class="advisory-hide-on-mobile masthead__menu-item"> <a href="/faqs" class="advisory-link">FAQs</a></li><li class="advisory-hide-on-mobile masthead__menu-item"> <a href="https://www.splunk.com/en_us/form/splunk-security-advisories-notification.html" class="advisory-link">Mailing List</a></li></ul><button class="greedy-nav__toggle hidden advisory-show-on-mobile" type="button"> <span class="visually-hidden">Toggle menu</span><div class="navicon"></div></button><ul class="hidden-links hidden advisory-show-on-mobile"><li class="masthead__menu-item"> <a href="/">Home</a></li><li class="masthead__menu-item"> <a href="/report">Report a Vulnerability</a></li><li class="masthead__menu-item"> <a href="/faqs">FAQs</a></li><li class="masthead__menu-item"> <a href="https://www.splunk.com/en_us/form/splunk-security-advisories-notification.html">Mailing List</a></li></ul></nav></div></div></div><div class="initial-content"><div id="main" role="main"><article class="splash"><section class="page__content"><div class="advisory-show-on-mobile"><p> </p></div><div id="advisory" role="main"><div class="advisory-title"><h1>Splunk Enterprise and Universal Forwarder CLI connections lacked TLS certificate validation</h1></div><div><div class="advisory-row"><div class="advisory-column-left"><p><b>Advisory ID:</b> SVD-2022-0606</p></div><div class="advisory-column-right"><p><b>CVE ID:</b> <a href="https://www.cve.org/CVERecord?id=CVE-2022-32156" class="advisory-no-link advisory-link">CVE-2022-32156</a></p></div></div><div class="advisory-row"><div class="advisory-column-left"><p><b>Published:</b> 2022-06-14</p></div><div class="advisory-column-right"><p><b>Last Update:</b> 2022-07-18</p></div></div><div class="advisory-row"><div class="advisory-column-left"><p><b>CVSSv3.1 Score:</b> 7.4, High</p></div><div class="advisory-column-right"><p><b>CVSSv3.1 Vector:</b> <a href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" class="advisory-no-link advisory-link">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N</a></p></div></div><div class="advisory-row"><div class="advisory-column-left"><p><b>CWE:</b> <a href="https://cwe.mitre.org/data/definitions/295.html" class="advisory-no-link advisory-link">CWE-295</a></p></div><div class="advisory-column-right"><p><b>Bug ID:</b> SPL-49451</p></div></div></div><div><h2 id="description">Description</h2><p>In Splunk Enterprise and Universal Forwarder versions before 9.0, the Splunk command-line interface (CLI) did not validate TLS certificates while connecting to a remote Splunk platform instance by default. Splunk peer communications configured properly with valid certificates were not vulnerable. However, connections from misconfigured nodes without valid certificates did not fail by default. After updating to version 9.0, see <a href="https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation?#Configure_TLS_host_name_validation_for_the_Splunk_CLI">Configure TLS host name validation for the Splunk CLI</a> to enable the remediation.</p><p>The vulnerability does not affect the Splunk Cloud Platform. At the time of publishing, we have no evidence of exploitation of this vulnerability by external parties.</p><h2 id="solution">Solution</h2><p>Upgrade Splunk Enterprise and Universal Forwarder versions to 9.0 or higher and <a href="https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation?#Configure_TLS_host_name_validation_for_the_Splunk_CLI">Configure TLS host name validation for the Splunk CLI</a>.</p><h2 id="product-status">Product Status</h2><div><table class="advisory-table" id="advisory-table"><thead class="advisory-th"><tr><th>Product</th><th>Version</th><th>Component</th><th>Affected Version</th><th>Fix Version</th></tr></thead><tbody><tr class="advisory-tr"><td class="advisory-td" label="Product">Splunk Enterprise</td><td class="advisory-td" label="Version">9.0</td><td class="advisory-td" label="Component">-</td><td class="advisory-td" label="Affected Version">Versions before 9.0</td><td class="advisory-td" label="Fix Version">9.0.0</td></tr><tr class="advisory-tr"><td class="advisory-td" label="Product">Universal Forwarder</td><td class="advisory-td" label="Version">9.0</td><td class="advisory-td" label="Component">-</td><td class="advisory-td" label="Affected Version">Versions before 9.0</td><td class="advisory-td" label="Fix Version">9.0.0</td></tr></tbody></table></div><h2 id="severity-considerations">Severity Considerations</h2><p>Splunk strongly recommends securing your Splunk environment with hardened TLS configurations. See <a href="https://docs.splunk.com/Documentation/Splunk/latest/Security/AboutsecuringyourSplunkconfigurationwithSSL">Securing the Splunk platform with TLS</a> for more information. However, the vulnerability assumes that you have configured your Splunk platform instances to use transport layer security (TLS) certificates for secure network connections. If you have not and are using the default certificates, the vulnerability is not applicable and is informational.</p><h2 id="acknowledgments">Acknowledgments</h2><p>Chris Green at Splunk</p><h2 id="changelog">Changelog</h2><p>2022-07-18: Added Severity Considerations</p></div></div></section></article></div></div><div id="footer" class="page__footer"><footer><div class="page__footer-follow"><ul class="social-icons"><li><a href="mailto:prodsec@splunk.com" rel="nofollow noopener noreferrer" class="advisory-icon-a"><i class="fa-regular fa-envelope advisory-icon-i"></i> Email</a></li><li><a href="/feed.xml" rel="nofollow noopener noreferrer" class="advisory-icon-a"><i class="fa-solid fa-rss advisory-icon-i"></i> RSS Feed</a></li><li><a href="https://login.splunk.com/page/sso_redirect?type=portal" rel="nofollow noopener noreferrer" class="advisory-icon-a"><i class="fa-solid fa-link advisory-icon-i"></i> Support</a></li></ul></div><div class="page__footer-copyright">© 2005 - 2024 Splunk Inc. All rights reserved.</div><div class="page__footer-links"><a href="https://www.splunk.com/en_us/legal.html" rel="nofollow noopener noreferrer">Legal</a> <a href="https://www.splunk.com/en_us/legal/privacy/privacy-policy.html" rel="nofollow noopener noreferrer">Privacy<a/> <a href="https://www.splunk.com/en_us/legal/terms/terms-of-use.html" rel="nofollow noopener noreferrer">Website Terms of Use<a/></div></footer></div></body></html>