Splunk Enterprise and Cloud Platform Sensitive Information Disclosure Vulnerability in Search Head Clusters

A vulnerability exists in Splunk Enterprise versions prior to 9.4.3, 9.3.5, 9.2.7, and 9.1.10, as well as in Splunk Cloud Platform versions prior to 9.3.2411.103, 9.3.2408.113, and 9.2.2406.119. This vulnerability could lead to the unintentional exposure of the search head cluster 'splunk.secret' key. Such exposure may occur in deployments with a Search Head cluster that have the 'SHCConfig' log channel set to DEBUG. The vulnerability requires either local access to the log files or administrative access to internal indexes, which is typically restricted to the admin role.

Impact

Exploitation of this vulnerability could result in the unauthorized disclosure of sensitive information, specifically the 'splunk.secret' key, which is crucial for securing communications in a Splunk environment.

Remediation

Users can upgrade to Splunk Enterprise versions 9.4.3, 9.3.5, 9.2.7, 9.1.10 or higher. For those using Splunk Cloud Platform, no action is needed as Splunk is actively monitoring and patching these instances. If an immediate upgrade is not possible, the 'SHCConfig' log channel can be set to a less verbose logging level than DEBUG, and the 'splunk.secret' key file should be updated to use the new cipher.