{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-077.pdf"
    },
    "title": "Several High Vulnerabilities in Splunk Enterprise",
    "serial_number": "2022-077",
    "publish_date": "04-11-2022 14:55:00",
    "description": "On November 2, 2022, Splunk released the quarterly Security Patch Update which included nine HIGH severity vulnerabilities. The most severe vulnerabilities, which have a CVSS score of \"8.8\" out of 10, are \"CVE-2022-43571\" for Remote Code Execution (RCE) through dashboard PDF generation component, \"CVE-2022-43570\" for XML External Entity Injection through a custom View and \"CVE-2022-43568\" for Reflected Cross-Site Scripting via the radio template.",
    "url_title": "2022-077",
    "content_markdown": "---\ntitle: 'Several High Vulnerabilities in Splunk Enterprise'\nversion: '1.0'\nnumber: '2022-077'\noriginal_date: 'November 02, 2022'\ndate: 'November 04, 2022'\n---\n\n_History:_\n\n* _04/11/2022 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn November 2, 2022, Splunk released the quarterly Security Patch Update which included nine HIGH severity vulnerabilities. The most severe vulnerabilities, which have a CVSS score of `8.8` out of 10, are `CVE-2022-43571` for Remote Code Execution (RCE) through dashboard PDF generation component, `CVE-2022-43570` for XML External Entity Injection through a custom View and `CVE-2022-43568` for Reflected Cross-Site Scripting via the radio template.\n\n# Technical Details\n\n`CVE-2022-43571` allows an authenticated user to execute arbitrary code through the dashboard PDF generation component.\n\n`CVE-2022-43570` allows an authenticated user to perform an extensible markup language (XML) external entity (XXE) injection via a custom View. The XXE injection causes Splunk Web to embed incorrect documents into an error.\n\n`CVE-2022-43568` a View allows for a Reflected Cross Site Scripting via JavaScript Object Notation (JSON) in a query parameter when `output_mode=radio`.\n\n# Mitigation and Workarounds\n\n`CVE-2022-43571`\n- No mitigation or workarounds available.\n\n`CVE-2022-43570`\n- Workarounds include restricting who can upload lookup files and disabling Splunk Web. The vulnerability affects instances with Splunk Web enabled. [2,3]\n\n`CVE-2022-43568`\n- The vulnerability affects instances with Splunk Web enabled, disabling Splunk Web is a possible workaround. [2,3]\n\n# Recommendations\n\nCERT-EU strongly recommends upgrading Splunk Enterprise to the version 8.1.12, 8.2.9, 9.0.2 or higher.\n\n# References\n\n[1] <https://www.splunk.com/en_us/product-security.html>\n\n[2] <https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents>\n\n[3] <https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>04/11/2022 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On November 2, 2022, Splunk released the quarterly Security Patch Update which included nine HIGH severity vulnerabilities. The most severe vulnerabilities, which have a CVSS score of <code>8.8</code> out of 10, are <code>CVE-2022-43571</code> for Remote Code Execution (RCE) through dashboard PDF generation component, <code>CVE-2022-43570</code> for XML External Entity Injection through a custom View and <code>CVE-2022-43568</code> for Reflected Cross-Site Scripting via the radio template.</p><h2 id=\"technical-details\">Technical Details</h2><p><code>CVE-2022-43571</code> allows an authenticated user to execute arbitrary code through the dashboard PDF generation component.</p><p><code>CVE-2022-43570</code> allows an authenticated user to perform an extensible markup language (XML) external entity (XXE) injection via a custom View. The XXE injection causes Splunk Web to embed incorrect documents into an error.</p><p><code>CVE-2022-43568</code> a View allows for a Reflected Cross Site Scripting via JavaScript Object Notation (JSON) in a query parameter when <code>output_mode=radio</code>.</p><h2 id=\"mitigation-and-workarounds\">Mitigation and Workarounds</h2><p><code>CVE-2022-43571</code> - No mitigation or workarounds available.</p><p><code>CVE-2022-43570</code> - Workarounds include restricting who can upload lookup files and disabling Splunk Web. The vulnerability affects instances with Splunk Web enabled. [2,3]</p><p><code>CVE-2022-43568</code> - The vulnerability affects instances with Splunk Web enabled, disabling Splunk Web is a possible workaround. [2,3]</p><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU strongly recommends upgrading Splunk Enterprise to the version 8.1.12, 8.2.9, 9.0.2 or higher.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.splunk.com/en_us/product-security.html\">https://www.splunk.com/en_us/product-security.html</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents\">https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf\">https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}