Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

RCE CVE-2023-46214

DanAlexander
Communicator
‎11-25-2023 02:54 PM

Hello community,

Can anyone please help me understand if the newest vulnerability can exploit a pure on prem Splunk Enterprise clustered solution?

Can an arbitrary code be pushed remotely via any means?

Splunk documentation and advisory are not very clear and just saying SE but not mentioning anything about 1.5 DTI and non publicity connected SE instance.

Thank you.

Labels (6)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-26-2023 09:26 AM

That vulnerability has a CVSS vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H, which means it requires network access and credentials to exploit.  If your Splunk is not accessible by outsiders then your vulnerability is lower.  See https://advisory.splunk.com/advisories/SVD-2023-1104 for everything public about the vulnerability.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

DanAlexander
Communicator
‎11-26-2023 01:06 PM

Hi, thanks for the reply @richgalloway 

All you said make sense. 

However, there are few scenarios where this statements might be out of order. Let me justify what I think.

Splunk SE accessible from outside? Do not think any on prem instance is designed to be remote accessable.

Anything can be reached vIa a switch (IP + port). All can of course be configured to restrict Internet to Intranet communication.

Not even considering insiders and how all even read only users handle queries they send to the SE switch URI etc.

I am sure the following will change our perspective of what this may cause if ignored as low severity: https://blog.hrncirik.net/cve-2023-46214-analysis

Attackers, attack as service plus AI capabilities makes it even harder for defenders to defend. We simply do not know what we do not know in most instances before they get announced as Zero days.

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...