--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Several High Vulnerabilities in Splunk Enterprise' version: '1.0' number: '2022-077' original_date: 'November 02, 2022' date: 'November 04, 2022' --- _History:_ * _04/11/2022 --- v1.0 -- Initial publication_ # Summary On November 2, 2022, Splunk released the quarterly Security Patch Update which included nine HIGH severity vulnerabilities. The most severe vulnerabilities, which have a CVSS score of `8.8` out of 10, are `CVE-2022-43571` for Remote Code Execution (RCE) through dashboard PDF generation component, `CVE-2022-43570` for XML External Entity Injection through a custom View and `CVE-2022-43568` for Reflected Cross-Site Scripting via the radio template. # Technical Details `CVE-2022-43571` allows an authenticated user to execute arbitrary code through the dashboard PDF generation component. `CVE-2022-43570` allows an authenticated user to perform an extensible markup language (XML) external entity (XXE) injection via a custom View. The XXE injection causes Splunk Web to embed incorrect documents into an error. `CVE-2022-43568` a View allows for a Reflected Cross Site Scripting via JavaScript Object Notation (JSON) in a query parameter when `output_mode=radio`. # Mitigation and Workarounds `CVE-2022-43571` - No mitigation or workarounds available. `CVE-2022-43570` - Workarounds include restricting who can upload lookup files and disabling Splunk Web. The vulnerability affects instances with Splunk Web enabled. [2,3] `CVE-2022-43568` - The vulnerability affects instances with Splunk Web enabled, disabling Splunk Web is a possible workaround. [2,3] # Recommendations CERT-EU strongly recommends upgrading Splunk Enterprise to the version 8.1.12, 8.2.9, 9.0.2 or higher. # References [1] [2] [3]