Splunk Enterprise and Cloud Platform Unauthenticated Log Injection Vulnerability

A vulnerability exists in Splunk Enterprise versions prior to 10.0.1, 9.4.6, 9.3.8, and 9.2.10, as well as in Splunk Cloud Platform versions prior to 10.1.2507.4, 10.0.2503.6, and 9.3.2411.117.125. This vulnerability allows an unauthenticated attacker to inject American National Standards Institute (ANSI) escape codes into Splunk log files. The issue arises from improper validation at the /en-US/static/ web endpoint. Exploitation of this vulnerability could lead to the poisoning, forging, or obfuscation of sensitive log data, thereby potentially compromising log integrity and detection capabilities.

Impact

Exploitation of this vulnerability could allow for unauthorized log injection, leading to the poisoning, forging, or obfuscation of log data. This could disrupt normal log management processes and impair the ability to detect and respond to security incidents.

Remediation

Users of Splunk Enterprise should upgrade to versions 10.0.1, 9.4.6, 9.3.8, 9.2.10, or higher. For Splunk Cloud Platform, the provider is actively monitoring and patching instances. Additionally, turning off Splunk Web can mitigate the vulnerability. For more information on disabling Splunk Web, consult the Splunk Enterprise documentation on managing users and security.