Headline
CVE-2022-43564: SVD-2022-1104 | Splunk
In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a remote user who can create search macros and schedule search reports can cause a denial of service through the use of specially crafted search macros.
Advisory ID: SVD-2022-1104
Published: 2022-11-02
CVSSv3.1 Score: 4.9, Medium
CWE: CWE-400
CVE ID: CVE-2022-43564
Last Update: 2022-11-02
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Bug ID: SPL-220964
Description
In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a remote user who can create search macros and schedule search reports can cause a denial of service through the use of specially crafted search macros.
Solution
For Splunk Enterprise, upgrade versions to 8.1.12, 8.2.9, or higher.
For Splunk Cloud Platform versions below 9.0.2205, Splunk is actively patching and monitoring the Splunk Cloud instances. To request an immediate upgrade, determine which version of Splunk Cloud Platform you’re running, then create a new support case.
Product Status
Product
Version
Component
Affected Version
Fixed Version
Splunk Enterprise
8.1
REST API
8.1.11 and lower
8.1.12
Splunk Enterprise
8.2
REST API
8.2.0 to 8.2.8
8.2.9
Splunk Enterprise
9.0
REST API
Not affected
-
Splunk Cloud Platform
-
REST API
9.0.2203.4 and lower
9.0.2205
Mitigations and Workarounds
You can use a proxy to filter out requests to the `/services/search/parser` REST endpoint that include the option `ignore_parse_error=t`. You can either block these requests entirely or pass them through with that option removed. Other requests to the same endpoint do not cause the denial of service.
Detections
None
**Severity **
Splunk rates the vulnerability as Medium, 4.9, with a CVSS Vectors of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Questions? Submit your question to Splunk Support.