Solved: Is Splunk UF vulnerable to SVD-2022-0502 ??

gordo32 · ‎05-03-2022

The advisory (https://www.splunk.com/en_us/product-security/announcements/svd-2022-0502.html) talks about Splunk Enterprise, but makes no mention of the Universal forwarder.

Since UF has many of the same API features as Enteprise, and I do see verboseLoginFailMsg = true when running the btool utility, my assumption is that the UF is also vulnerable.

Can someone confirm:

1. If my assumption is correct

2. If the same mitigation can be performed (so we can use deployment server to resolve)

3. Which version of UF is not vulnerable.

Thanks,

Gord T.

richgalloway · ‎05-03-2022

Seeing a setting in btool output does not mean that setting applies to the local instance. Btool merely shows what is in the local .conf files. UFs will ignore settings that don't apply to it.

This vulnerability doesn't apply to the admin role, and since a UF typically only has the admin user defined, the cited vulnerability doesn't apply.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎05-03-2022

Seeing a setting in btool output does not mean that setting applies to the local instance. Btool merely shows what is in the local .conf files. UFs will ignore settings that don't apply to it.

This vulnerability doesn't apply to the admin role, and since a UF typically only has the admin user defined, the cited vulnerability doesn't apply.

---
If this reply helps you, Karma would be appreciated.

Is Splunk UF vulnerable to SVD-2022-0502 ??

authentication

login

Changes to Splunk Instructor-Led Training Completion Criteria

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

Preparing your Splunk Environment for OpenSSL3