All Apps and Add-ons

Bug in Latest DB Connect App

linu1988
Champion

Hello All,
I have updated the Splunk App for DB connect(V1.1.1). I was testing with few of the options before giving access to the end users.

The DB is configured with read-only option but when i run the update query it is able to update the table.

More over there is a security leakage also i have observed. When i form a query with proper DB name, schema, table name, i can see the content and update the same as the account has access to the other DB as well. We are using SQL Server.

SELECT *  FROM [msdb].[dbo].[table_name]

I understand that the user can be modified to have only read permission, if this is the only option why is there a READ-ONLY option on configuration page? Please guide me if i am doing something wrong.

Thanks

1 Solution

jcoates_splunk
Splunk Employee
Splunk Employee

Hi,

there's some subtlety to properly configuring secure access -- you may find this blog post and the docs helpful.

View solution in original post

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Hi,

there's some subtlety to properly configuring secure access -- you may find this blog post and the docs helpful.

0 Karma

linu1988
Champion

Thank you team, Seems like this bug is fixed in version 1.1.3 version now. Very happy to get this just before i make everything live 🙂

0 Karma

linu1988
Champion

That i have already made, as the enduser may try different things. i came across this thing while testing it myself.

0 Karma

aelliott
Motivator

I would recommend making the SQL user have read only permissions

0 Karma

linu1988
Champion

Important Update:
When you use |dboutput on a read-only option in DB connect it does work and show that it is readonly database.

But in the dbqyery view if you write it in the query window it doesn't and updates the table.

linu1988
Champion

Yes 1.1.11 , jre7. both tested on jdbc 3 and 4 driver for sql server

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

DB Connect is 1.1.11, correct? What's the JRE you're using? Also, is this MS's JDBC driver?

0 Karma

linu1988
Champion

If i use the update command on db query view e.g. update table set field=1 where value='x' it shows me some error but it updates the table. Exact error i dont remember but it's something like "Statement should return result set..". i am using sql server 2008 r2. i will make the user read only from DB level now as a work around.

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

well, as the documentation and the setup page say, that feature relies on the JDBC driver's implementation. Some are better than others. What's the database and update command you're using?

0 Karma

linu1988
Champion

I do understand splunk object level read-only permissions and DB read-only permissions. But the statement in setup page is

Allows execution of non-modifying queries only. This relies on the JDBC driver's implementation of "read-only" mode.

which is misleading. However i think the loophole needs to be addressed. Keep me posted please if there are any solution to this. I am quite regular here and splunk sites.

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Hi, the significance is that there are different "read-only" options with different meanings offered by Splunk, JDBC, and the database. To be secure, you must understand all of them. The read only option in the database connection setup screen is referring to the JDBC config option.

If these mapped cleanly, we would have already done it... We are working on a better solution though.

0 Karma

linu1988
Champion

The concern i have is the read-only property which is given during the database connection setup. If it does depend on the role of the DB user what is the significance of the option given in the set up? Splunk objects we could control the access, but in business environment there are many factors where creating new users just to read a DB is difficult.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...