The companies Splunk Enterprise was recently updated to 9.0.3, but this is still showing the vulnerability CVE-2021-32036 due to 9.0.3 installing MongoDB 4.2.17. At least this is the assumption. Is there any documentation anywhere that can confirm what version of MongoDB is packaged and installed with Splunk Enterprise 9.0.3 and above? What version of Splunk Enterprise would be needed to mitigate this issue? (MongoDB must be version 4.2.18 or above)
The security advisory at https://advisory.splunk.com/advisories/SVD-2022-1113 says the vulnerability is patched in 9.0.2 even though the KVStore version is 4.2.17.
FTR, Splunk 9.0.4.1 is available.
You can see what version of MongoDB you have with the command
splunk show kvstore-status --verbose
I'm not aware of documentation the says what version of MongoDB is in any given version of Splunk.
I don't know if Splunk makes 4.2.18 available, but you can try getting it using the instructions at https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/MigrateKVstore
Thanks for the reply. That's some really useful information.
Unfortunately I don't have access to the machines themselves (VERY locked down environment), only the Splunk website for running queries. The team that manages the app are the only ones with access and I'm yet to get them to reply. In the mean time its up to me to make sure this is fixed.
Is there a command I can run (search?) from the web interface to get this info?
Thanks.
If you've been tasked with fixing a system you cannot access then you've been set up to fail.
There is a rest endpoint available that returns a lot of information about the KVStore.
| rest /services/server/introspection/kvstore/serverstatus
| spath input=data
| table splunk_server storageEngine.name version
FWIW, I'm running Splunk 9.0.4.1 and that query says I have MongoDB version 4.2.19.