Splunk Search

Can you clarify Vulnerability report SPL-144192?

chriswilkes33
Explorer

Vulnerability report SPL-144192 seems to have contradicting data in it. It begins by talking about being vulnerable to this specific thing when running init or control scripts as a root user, but later in the report it mentions some specific conditions you must meet to be vulnerable, the first being run init scripts as non-root user.

Soooo...which is it?

How do I know if I'm vulnerable with such contradictory information?

I don't have enough karma points to post links apparently, even to splunks own web servers, but Ive attempted below to post a link in case it lets me...

splunk.com/view/SP-CAAAP3M#MitigationandUpgrades

1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi @chriswilkes33,

Before you go through below content, please consider below configuration for Redhat only and I am considering that splunk is running as splunk user, command or configuration might change for different version of OS. 😛

After Splunk version 6.1, splunk changed init script which you created by root user using command $SPLUNK_HOME/bin/splunk enable boot-start –user <user>

So /etc/init.d/splunk script includes command like for start, stop, restart and status

      "/opt/splunkforwarder/bin/splunk" start --no-prompt --answer-yes
      "/opt/splunkforwarder/bin/splunk" stop
      "/opt/splunkforwarder/bin/splunk" restart
      "/opt/splunkforwarder/bin/splunk" status

However before Splunk version 6.1 when you created /etc/init.d/splunk using command $SPLUNK_HOME/bin/splunk enable boot-start –user <user> by root user at that start, stop, restart and status command looke like below

  /bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" start --no-prompt --answer-yes"
  /bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" stop "
  /bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" restart "
  /bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" status "

Now whether you are affected or not, you need to check 2 things

  1. If $SPLUNK_HOME/etc/splunk-launch.conf contains SPLUNK_OS_USER=<user> line
  2. And you created init script after splunk version 6.1, using command $SPLUNK_HOME/bin/splunk enable boot-start –user <user> by root user, which contains command as below

          "/opt/splunkforwarder/bin/splunk" start --no-prompt --answer-yes
          "/opt/splunkforwarder/bin/splunk" stop
          "/opt/splunkforwarder/bin/splunk" restart
          "/opt/splunkforwarder/bin/splunk" status
    

    If you satisfy both the condition then you are affected.
    Mitigation is you need to change those command to look like this

    su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" start --no-prompt --answer-yes"
    su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" stop "
    su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" restart "
    su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" status "
    

I hope this clears.

Thanks,
Harshil

View solution in original post

harsmarvania57
SplunkTrust
SplunkTrust

Hi @chriswilkes33,

Before you go through below content, please consider below configuration for Redhat only and I am considering that splunk is running as splunk user, command or configuration might change for different version of OS. 😛

After Splunk version 6.1, splunk changed init script which you created by root user using command $SPLUNK_HOME/bin/splunk enable boot-start –user <user>

So /etc/init.d/splunk script includes command like for start, stop, restart and status

      "/opt/splunkforwarder/bin/splunk" start --no-prompt --answer-yes
      "/opt/splunkforwarder/bin/splunk" stop
      "/opt/splunkforwarder/bin/splunk" restart
      "/opt/splunkforwarder/bin/splunk" status

However before Splunk version 6.1 when you created /etc/init.d/splunk using command $SPLUNK_HOME/bin/splunk enable boot-start –user <user> by root user at that start, stop, restart and status command looke like below

  /bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" start --no-prompt --answer-yes"
  /bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" stop "
  /bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" restart "
  /bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" status "

Now whether you are affected or not, you need to check 2 things

  1. If $SPLUNK_HOME/etc/splunk-launch.conf contains SPLUNK_OS_USER=<user> line
  2. And you created init script after splunk version 6.1, using command $SPLUNK_HOME/bin/splunk enable boot-start –user <user> by root user, which contains command as below

          "/opt/splunkforwarder/bin/splunk" start --no-prompt --answer-yes
          "/opt/splunkforwarder/bin/splunk" stop
          "/opt/splunkforwarder/bin/splunk" restart
          "/opt/splunkforwarder/bin/splunk" status
    

    If you satisfy both the condition then you are affected.
    Mitigation is you need to change those command to look like this

    su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" start --no-prompt --answer-yes"
    su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" stop "
    su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" restart "
    su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" status "
    

I hope this clears.

Thanks,
Harshil

chriswilkes33
Explorer

Thanks for the explanation. Makes sense.

0 Karma

DATEVeG
Path Finder

Thanks! That sounds reasonable.

Will there be a proper solution by splunk for this problem?

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

As of now splunk suggested to update /etc/init.d/splunk as per answer given by me.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...