Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

vulnerability CVE-2022-32158 16_06_2022 versions before 9.0 Splunk

splunkcol
Builder
‎06-16-2022 08:50 AM

Hello,

I see that there is a new vulnerability that affects Splunk and I have a couple of doubts

https://www.splunk.com/en_us/product-security/announcements/svd-2022-0608.html

Excuse me if the question is silly but what is not clear to me is if I should update the version of Splunk Enterprise as SIEM or if I should update only the agents on the endpoints.

Or both?

Thank you for your answers

 

 

"

Description

Splunk Enterprise deployment servers in versions before 9.0 let clients deploy forwarder bundles to other deployment clients through the deployment server. An attacker that compromised a Universal Forwarder endpoint could use the vulnerability to execute arbitrary code on all other Universal Forwarder endpoints subscribed to the deployment server. 

The Splunk Cloud Platform (SCP) does not offer or use deployment servers and is not affected by the vulnerability. For SCP customers that run deployment servers, upgrade to version 9.0 or higher. At the time of publishing, we have no evidence of exploitation of this vulnerability by external parties.

 

Solution

Upgrade Splunk Enterprise deployment servers to version 9.0 or higher

"

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎06-16-2022 09:32 AM

@splunkcol - The issue is with the Forwarder management (Deployment server) component, so if you are not using then you don't have to worry about it.

 

I hope this helps!!!

View solution in original post

Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎06-16-2022 08:53 AM

@splunkcol - Earlier the resolution said you need to update everything to Splunk 9.0.

But the change log says you need to just update the Deployment Server to 9.0

VatsalJagani_0-1655394766854.png

 

I hope this helps!!!

Reply
Solved! Jump to solution

splunkcol
Builder
‎06-16-2022 09:01 AM

I usually download and install Splunk enterprise, then ask my clients to install the agent (Universal forwarder) for log forwarding.

In the installation wizard there is a step called "Deployment server" I omit that step, that is, I do not use deployment server.

So should I update Splunk? or update the agent on each endpoint? or not update anything because I don't use deployment server?

0 Karma
Reply
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎06-16-2022 09:32 AM

@splunkcol - The issue is with the Forwarder management (Deployment server) component, so if you are not using then you don't have to worry about it.

 

I hope this helps!!!

Reply
Solved! Jump to solution

sam79
Engager
‎06-16-2022 07:06 PM

Hi, does anyone know if you can just upgrade the deployment server to version 9? Would it be backwards compatible?

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎06-16-2022 10:23 PM

Splunk Doc says:

VatsalJagani_0-1655443231993.png

https://docs.splunk.com/Documentation/Splunk/9.0.0/Updating/Planadeployment 

So it's definitely supporting Splunk version above 8.1.x. It probably works prior versions as well but it's not supported.

 

I hope this helps!!!

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...