Headline
CVE-2023-32712: Unauthenticated Log Injection on '/var/log/splunk/web_service.log' Log File
In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an attacker can use a specially crafted web URL in their browser to cause log file poisoning. The attack requires the attacker to have secure shell (SSH) access to the instance and use a terminal program that supports a certain feature set to execute the attack successfully.
Advisory ID: SVD-2023-0606
Published: 2023-06-01
Last Update: 2023-06-01
Description
An attacker can use a specially crafted web URL in their browser to cause log file injection, in which the attack inserts American National Standards Institute (ANSI) escape codes into specific files using a terminal program that supports those escape codes. The attack requires a terminal program that supports the translation of ANSI escape codes and requires additional user interaction to successfully execute.
Solution
For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher.
This vulnerability does not affect Splunk Cloud Platform instances.
Product Status
Product
Version
Component
Affected Version
Fix Version
Splunk Enterprise
8.1
Splunk Web
8.1.0 to 8.1.13
8.1.14
Splunk Enterprise
8.2
Splunk Web
8.2.0 to 8.2.10
8.2.11
Splunk Enterprise
9.0
Splunk Web
9.0.0 to 9.0.4
9.0.5
Mitigations and Workarounds
Do not use a terminal program that can send ANSI escape codes to access a Splunk Enterprise instance.
Detections
None
Severity
Splunk rated the vulnerability as Low, 3.4, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N.
Acknowledgments
STÖK / Fredrik Alexandersson