Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

RCE CVE-2023-46214

DanAlexander
Communicator
‎11-25-2023 02:54 PM

Hello community,

Can anyone please help me understand if the newest vulnerability can exploit a pure on prem Splunk Enterprise clustered solution?

Can an arbitrary code be pushed remotely via any means?

Splunk documentation and advisory are not very clear and just saying SE but not mentioning anything about 1.5 DTI and non publicity connected SE instance.

Thank you.

Labels (6)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-26-2023 09:26 AM

That vulnerability has a CVSS vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H, which means it requires network access and credentials to exploit.  If your Splunk is not accessible by outsiders then your vulnerability is lower.  See https://advisory.splunk.com/advisories/SVD-2023-1104 for everything public about the vulnerability.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

DanAlexander
Communicator
‎11-26-2023 01:06 PM

Hi, thanks for the reply @richgalloway 

All you said make sense. 

However, there are few scenarios where this statements might be out of order. Let me justify what I think.

Splunk SE accessible from outside? Do not think any on prem instance is designed to be remote accessable.

Anything can be reached vIa a switch (IP + port). All can of course be configured to restrict Internet to Intranet communication.

Not even considering insiders and how all even read only users handle queries they send to the SE switch URI etc.

I am sure the following will change our perspective of what this may cause if ignored as low severity: https://blog.hrncirik.net/cve-2023-46214-analysis

Attackers, attack as service plus AI capabilities makes it even harder for defenders to defend. We simply do not know what we do not know in most instances before they get announced as Zero days.

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...