Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

RCE CVE-2023-46214

DanAlexander
Communicator
‎11-25-2023 02:54 PM

Hello community,

Can anyone please help me understand if the newest vulnerability can exploit a pure on prem Splunk Enterprise clustered solution?

Can an arbitrary code be pushed remotely via any means?

Splunk documentation and advisory are not very clear and just saying SE but not mentioning anything about 1.5 DTI and non publicity connected SE instance.

Thank you.

Labels (6)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-26-2023 09:26 AM

That vulnerability has a CVSS vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H, which means it requires network access and credentials to exploit.  If your Splunk is not accessible by outsiders then your vulnerability is lower.  See https://advisory.splunk.com/advisories/SVD-2023-1104 for everything public about the vulnerability.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

DanAlexander
Communicator
‎11-26-2023 01:06 PM

Hi, thanks for the reply @richgalloway 

All you said make sense. 

However, there are few scenarios where this statements might be out of order. Let me justify what I think.

Splunk SE accessible from outside? Do not think any on prem instance is designed to be remote accessable.

Anything can be reached vIa a switch (IP + port). All can of course be configured to restrict Internet to Intranet communication.

Not even considering insiders and how all even read only users handle queries they send to the SE switch URI etc.

I am sure the following will change our perspective of what this may cause if ignored as low severity: https://blog.hrncirik.net/cve-2023-46214-analysis

Attackers, attack as service plus AI capabilities makes it even harder for defenders to defend. We simply do not know what we do not know in most instances before they get announced as Zero days.

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...