Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is update to 9.0.3 still showing the vulnerability CVE-2021-32036?

Badger1874
Engager
‎05-18-2023 05:37 AM

The companies Splunk Enterprise was recently updated to 9.0.3, but this is still showing the vulnerability CVE-2021-32036 due to 9.0.3 installing MongoDB 4.2.17. At least this is the assumption. Is there any documentation anywhere that can confirm what version of MongoDB is packaged and installed with Splunk Enterprise 9.0.3 and above? What version of Splunk Enterprise would be needed to mitigate this issue? (MongoDB must be version 4.2.18 or above)

Labels (3)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-18-2023 06:14 AM

The security advisory at https://advisory.splunk.com/advisories/SVD-2022-1113 says the vulnerability is patched in 9.0.2 even though the KVStore version is 4.2.17.

FTR, Splunk 9.0.4.1 is available.

You can see what version of MongoDB you have with the command 

splunk show kvstore-status --verbose

I'm not aware of documentation the says what version of MongoDB is in any given version of Splunk.

I don't know if Splunk makes 4.2.18 available, but you can try getting it using the instructions at https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/MigrateKVstore

---
If this reply helps you, Karma would be appreciated.
Reply

Badger1874
Engager
‎05-18-2023 07:01 AM

Thanks for the reply. That's some really useful information. 

Unfortunately I don't have access to the machines themselves (VERY locked down environment), only the Splunk website for running queries. The team that manages the app are the only ones with access and I'm yet to get them to reply. In the mean time its up to me to make sure this is fixed.

Is there a command I can run (search?) from the web interface to get this info?

Thanks.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-18-2023 07:22 AM

If you've been tasked with fixing a system you cannot access then you've been set up to fail.

There is a rest endpoint available that returns a lot of information about the KVStore.

| rest /services/server/introspection/kvstore/serverstatus 
| spath input=data 
| table splunk_server storageEngine.name version

FWIW, I'm running Splunk 9.0.4.1 and that query says I have MongoDB version 4.2.19.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...