topic Re: Is Splunk Enterprise 9.4.0 (build 6b4ebe426ca6) affected by CVE-2024-7264? in Splunk Enterprise

Is Splunk Enterprise 9.4.0 (build 6b4ebe426ca6) affected by CVE-2024-7264?

StephenD1 — Thu, 30 Jan 2025 18:03:46 GMT

I have Splunk Enterprise 9.4.0 (build 6b4ebe426ca6) installed.

My security team flagged a possible vuln on /opt/splunk/opt/mongo/lib/libcurl.so.4.8.0 related to CVE-2024-7264, which apparently affects libcurl versions between 7.32.0 and prior to 8.9.1. I ran both the following commands

splunk cmd curl --version splunk cmd mongodb --version

and confirmed the libcurl version is affected. The relevant results were:

Curl:

curl 7.61.1 ... libcurl/7.61.1 ...

Mongod:

mongod: /opt/splunk/lib/libcrypto.so.10: no version information available (required by mongod) mongod: /opt/splunk/lib/libcrypto.so.10: no version information available (required by mongod) mongod: /opt/splunk/lib/libcrypto.so.10: no version information available (required by mongod) mongod: /opt/splunk/lib/libssl.so.10: no version information available (required by mongod) db version v7.0.14 Build Info: { "version": "7.0.14", ... }

How do I go about disabling Mongod (if possible)?

Alternatively, is there any info on whether this will be addressed in a future update or if this is relevant at all for Splunk Enterprise?

Re: Is Splunk Enterprise 9.4.0 (build 6b4ebe426ca6) affected by CVE-2024-7264?

jrubio — Mon, 07 Apr 2025 12:20:28 GMT

Was there any answer to this? I have the same CVE pop up on my scan and want to find a fix/workaround for it. thanks!

Re: Is Splunk Enterprise 9.4.0 (build 6b4ebe426ca6) affected by CVE-2024-7264?

bendeloitte — Thu, 15 May 2025 22:24:22 GMT

The Splunk fix is known as SPL-270280. A fix has been included in the latest version 9.4.2 and backported to supported versions of older releases 9.3.4, 9.2.6 and 9.1.9

https://splunk.my.site.com/customer/s/article/Splunk-vulnerability-libcurl-7-32-0-8-9-1-DoS-CVE-2024-7264-TEN-205024

Re: Is Splunk Enterprise 9.4.0 (build 6b4ebe426ca6) affected by CVE-2024-7264?

asimit — Fri, 16 May 2025 10:02:24 GMT

Hi @StephenD1 ,

Yes, Splunk Enterprise 9.4.0 (build 6b4ebe426ca6) is affected by CVE-2024-7264. This vulnerability affects libcurl versions between 7.32.0 and prior to 8.9.1, and as you confirmed, your installation includes libcurl 7.61.1, which falls within this range.

## Official Fix
According to the latest information:
- The Splunk fix is identified as SPL-270280
- The fix has been included in Splunk Enterprise 9.4.2
- The fix has also been backported to supported older versions: 9.3.4, 9.2.6, and 9.1.9

## Recommended Actions

### Option 1: Upgrade to a Patched Version
The most comprehensive solution is to upgrade to one of the fixed versions:
- Splunk Enterprise 9.4.2 (preferred for your current version)
- Or one of the other patched versions (9.3.4, 9.2.6, or 9.1.9)

### Option 2: Disable KVStore (MongoDB) Temporarily
If you cannot upgrade immediately, you can consider disabling the KVStore service, which uses MongoDB:

1. Check if any critical apps depend on KVStore:
```
splunk list kvstore -collections
```

2. Disable KVStore:
```
splunk disable kvstore
splunk restart
```

3. Verify MongoDB is no longer running:
```
ps -ef | grep mongo
```

Note that disabling KVStore will impact any apps that rely on it, including:
- Enterprise Security
- ITSI
- Splunk App for Infrastructure
- Some custom apps that use KVStore collections

### Option 3: Mitigate Risk Through Network Controls
If you can't upgrade or disable KVStore:
- Ensure MongoDB is properly configured to only listen on localhost
- Implement additional network controls to restrict access to the MongoDB port (typically 8191)
- Monitor for potential exploitation attempts

## Additional Information
You can find more details in the Splunk article regarding this vulnerability:
https://splunk.my.site.com/customer/s/article/Splunk-vulnerability-libcurl-7-32-0-8-9-1-DoS-CVE-2024-7264

The CVE-2024-7264 is a denial-of-service vulnerability in libcurl that could allow a malicious server to cause a denial of service by sending specially crafted responses that trigger excessive memory consumption.

## Long-term Recommendation
For a more permanent solution, plan to upgrade to the patched version as soon as your change management process allows. This is especially important if you have internet-facing Splunk components that might be vulnerable to this exploitation vector.

Please give 👍 for support 😁 happly splunking .... 😎