Headline
CVE-2023-22941: Improperly Formatted ‘INGEST_EVAL’ Parameter Crashes Splunk Daemon
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, an improperly-formatted ‘INGEST_EVAL’ parameter in a Field Transformation crashes the Splunk daemon (splunkd).
Advisory ID: SVD-2023-0211
Published: 2023-02-14
Last Update: 2023-02-14
CVSSv3.1 Score: 6.5, Medium
Description
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, an improperly-formatted ‘INGEST_EVAL’ parameter in a Field Transformation crashes the Splunk daemon (splunkd).
Solution
For Splunk Enterprise, upgrade versions to 8.1.13, 8.2.10, 9.0.4, or higher.
For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.
Product Status
Product
Version
Component
Affected Version
Fix Version
Splunk Enterprise
8.1
Splunk Web
8.1.12 and lower
8.1.13
Splunk Enterprise
8.2
Splunk Web
8.2.0 to 8.2.9
8.2.10
Splunk Enterprise
9.0
Splunk Web
9.0.0 to 9.0.3
9.0.4
Splunk Cloud Platform
-
Splunk Web
9.0.2209 and lower
9.0.2212
Mitigations and Workarounds
None
Detections
- Splunk Improperly Formatted Parameter Crashes splunkd
This hunting search provides information on who executed the crashing command, and when and how often the command was executed.
Severity
Splunk rated the vulnerability as Medium, 6.5, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability requires compromising a user account with the capability to create or edit a Field transformation or run the ‘ingestpreview’ command via Search.
Acknowledgments
James Ervin, Splunk