Archive
Highlighted

Information Disclosure Vulnerability - Splunk 7.2.4.2

New Member

I have upgraded Splunk Enterprise to 7.2.4.2 as well as the forwarder. However, the Splunk Information Disclosure Vulnerability remains an issue. I can reach this URL unathenticated (https://<>:8000/en-US/splunkd/_raw/services/server/info/server-info?outputmode=json) and receive the disclosed server info. The upgrade should've resolved it per the Splunk doc. (Nessus Plug-in 121164)

Tags (1)
0 Karma
Highlighted

Re: Information Disclosure Vulnerability - Splunk 7.2.4.2

Ultra Champion

Are you running an authenticated scan against the endpoint with credentials?

The CVE as discussed here: https://www.splunk.com/view/SP-CAAAP5E
Addresses the issue by moving the endpoint to an authenticated request in versions >6.6.0.

I am not sure why nessus would still detect this in an unauthenticated request

0 Karma
Highlighted

Re: Information Disclosure Vulnerability - Splunk 7.2.4.2

New Member

Well, its not Nessus. It's a Splunk issue. I can reach this URL unauthenticated (https://<>:8000/en-US/splunkd/_raw/services/server/info/server-info?outputmode=json) and get the disclosed information.

0 Karma
Highlighted

Re: Information Disclosure Vulnerability - Splunk 7.2.4.2

New Member

Fixed it. The restmap.conf file (Splunk/etc/system/local/restmap.conf) was set to allow unauthenticated users to view system information through a REST endpoint. The stanzas should read as follows:

[admin:server-info]
requireAuthentication = true

[admin:server-info-alias]
requireAuthentication = true

0 Karma