Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is update to 9.0.3 still showing the vulnerability CVE-2021-32036?

Badger1874
Engager
‎05-18-2023 05:37 AM

The companies Splunk Enterprise was recently updated to 9.0.3, but this is still showing the vulnerability CVE-2021-32036 due to 9.0.3 installing MongoDB 4.2.17. At least this is the assumption. Is there any documentation anywhere that can confirm what version of MongoDB is packaged and installed with Splunk Enterprise 9.0.3 and above? What version of Splunk Enterprise would be needed to mitigate this issue? (MongoDB must be version 4.2.18 or above)

Labels (3)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-18-2023 06:14 AM

The security advisory at https://advisory.splunk.com/advisories/SVD-2022-1113 says the vulnerability is patched in 9.0.2 even though the KVStore version is 4.2.17.

FTR, Splunk 9.0.4.1 is available.

You can see what version of MongoDB you have with the command 

splunk show kvstore-status --verbose

I'm not aware of documentation the says what version of MongoDB is in any given version of Splunk.

I don't know if Splunk makes 4.2.18 available, but you can try getting it using the instructions at https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/MigrateKVstore

---
If this reply helps you, Karma would be appreciated.
Reply

Badger1874
Engager
‎05-18-2023 07:01 AM

Thanks for the reply. That's some really useful information. 

Unfortunately I don't have access to the machines themselves (VERY locked down environment), only the Splunk website for running queries. The team that manages the app are the only ones with access and I'm yet to get them to reply. In the mean time its up to me to make sure this is fixed.

Is there a command I can run (search?) from the web interface to get this info?

Thanks.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-18-2023 07:22 AM

If you've been tasked with fixing a system you cannot access then you've been set up to fail.

There is a rest endpoint available that returns a lot of information about the KVStore.

| rest /services/server/introspection/kvstore/serverstatus 
| spath input=data 
| table splunk_server storageEngine.name version

FWIW, I'm running Splunk 9.0.4.1 and that query says I have MongoDB version 4.2.19.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...