Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is Splunk Enterprise 9.4.0 (build 6b4ebe426ca6) affected by CVE-2024-7264?

StephenD1
Path Finder
‎01-30-2025 10:03 AM

I have Splunk Enterprise 9.4.0 (build 6b4ebe426ca6) installed. 

My security team flagged a possible vuln on /opt/splunk/opt/mongo/lib/libcurl.so.4.8.0 related to CVE-2024-7264, which apparently affects libcurl versions between 7.32.0 and prior to 8.9.1. I ran both the following commands

 

splunk cmd curl --version

splunk cmd mongodb --version

 

and confirmed the libcurl version is affected. The relevant results were:

Curl:

 

curl 7.61.1 ... libcurl/7.61.1 ...

 

Mongod:

 

mongod: /opt/splunk/lib/libcrypto.so.10: no version information available (required by mongod)
mongod: /opt/splunk/lib/libcrypto.so.10: no version information available (required by mongod)
mongod: /opt/splunk/lib/libcrypto.so.10: no version information available (required by mongod)
mongod: /opt/splunk/lib/libssl.so.10: no version information available (required by mongod)
db version v7.0.14
Build Info: {
    "version": "7.0.14",
    ...
}

 

  

How do I go about disabling Mongod (if possible)?

Alternatively, is there any info on whether this will be addressed in a future update or if this is relevant at all for Splunk Enterprise?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

asimit
Path Finder
‎05-16-2025 03:02 AM

Hi @StephenD1 ,


Yes, Splunk Enterprise 9.4.0 (build 6b4ebe426ca6) is affected by CVE-2024-7264. This vulnerability affects libcurl versions between 7.32.0 and prior to 8.9.1, and as you confirmed, your installation includes libcurl 7.61.1, which falls within this range.

## Official Fix
According to the latest information:
- The Splunk fix is identified as SPL-270280
- The fix has been included in Splunk Enterprise 9.4.2
- The fix has also been backported to supported older versions: 9.3.4, 9.2.6, and 9.1.9

## Recommended Actions

### Option 1: Upgrade to a Patched Version
The most comprehensive solution is to upgrade to one of the fixed versions:
- Splunk Enterprise 9.4.2 (preferred for your current version)
- Or one of the other patched versions (9.3.4, 9.2.6, or 9.1.9)

### Option 2: Disable KVStore (MongoDB) Temporarily
If you cannot upgrade immediately, you can consider disabling the KVStore service, which uses MongoDB:

1. Check if any critical apps depend on KVStore:
```
splunk list kvstore -collections
```

2. Disable KVStore:
```
splunk disable kvstore
splunk restart
```

3. Verify MongoDB is no longer running:
```
ps -ef | grep mongo
```

Note that disabling KVStore will impact any apps that rely on it, including:
- Enterprise Security
- ITSI
- Splunk App for Infrastructure
- Some custom apps that use KVStore collections

### Option 3: Mitigate Risk Through Network Controls
If you can't upgrade or disable KVStore:
- Ensure MongoDB is properly configured to only listen on localhost
- Implement additional network controls to restrict access to the MongoDB port (typically 8191)
- Monitor for potential exploitation attempts

## Additional Information
You can find more details in the Splunk article regarding this vulnerability:
https://splunk.my.site.com/customer/s/article/Splunk-vulnerability-libcurl-7-32-0-8-9-1-DoS-CVE-2024...

The CVE-2024-7264 is a denial-of-service vulnerability in libcurl that could allow a malicious server to cause a denial of service by sending specially crafted responses that trigger excessive memory consumption.

## Long-term Recommendation
For a more permanent solution, plan to upgrade to the patched version as soon as your change management process allows. This is especially important if you have internet-facing Splunk components that might be vulnerable to this exploitation vector.

Please give 👍 for support 😁 happly splunking .... 😎

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

asimit
Path Finder
‎05-16-2025 03:02 AM

Hi @StephenD1 ,


Yes, Splunk Enterprise 9.4.0 (build 6b4ebe426ca6) is affected by CVE-2024-7264. This vulnerability affects libcurl versions between 7.32.0 and prior to 8.9.1, and as you confirmed, your installation includes libcurl 7.61.1, which falls within this range.

## Official Fix
According to the latest information:
- The Splunk fix is identified as SPL-270280
- The fix has been included in Splunk Enterprise 9.4.2
- The fix has also been backported to supported older versions: 9.3.4, 9.2.6, and 9.1.9

## Recommended Actions

### Option 1: Upgrade to a Patched Version
The most comprehensive solution is to upgrade to one of the fixed versions:
- Splunk Enterprise 9.4.2 (preferred for your current version)
- Or one of the other patched versions (9.3.4, 9.2.6, or 9.1.9)

### Option 2: Disable KVStore (MongoDB) Temporarily
If you cannot upgrade immediately, you can consider disabling the KVStore service, which uses MongoDB:

1. Check if any critical apps depend on KVStore:
```
splunk list kvstore -collections
```

2. Disable KVStore:
```
splunk disable kvstore
splunk restart
```

3. Verify MongoDB is no longer running:
```
ps -ef | grep mongo
```

Note that disabling KVStore will impact any apps that rely on it, including:
- Enterprise Security
- ITSI
- Splunk App for Infrastructure
- Some custom apps that use KVStore collections

### Option 3: Mitigate Risk Through Network Controls
If you can't upgrade or disable KVStore:
- Ensure MongoDB is properly configured to only listen on localhost
- Implement additional network controls to restrict access to the MongoDB port (typically 8191)
- Monitor for potential exploitation attempts

## Additional Information
You can find more details in the Splunk article regarding this vulnerability:
https://splunk.my.site.com/customer/s/article/Splunk-vulnerability-libcurl-7-32-0-8-9-1-DoS-CVE-2024...

The CVE-2024-7264 is a denial-of-service vulnerability in libcurl that could allow a malicious server to cause a denial of service by sending specially crafted responses that trigger excessive memory consumption.

## Long-term Recommendation
For a more permanent solution, plan to upgrade to the patched version as soon as your change management process allows. This is especially important if you have internet-facing Splunk components that might be vulnerable to this exploitation vector.

Please give 👍 for support 😁 happly splunking .... 😎

0 Karma
Reply
Solved! Jump to solution

jrubio
Engager
‎04-07-2025 05:20 AM

Was there any answer to this? I have the same CVE pop up on my scan and want to find a fix/workaround for it. thanks!

0 Karma
Reply
Solved! Jump to solution

bendeloitte
New Member
‎05-15-2025 03:24 PM

The Splunk fix is known as SPL-270280.  A fix has been included in the latest version 9.4.2 and backported to supported versions of older releases  9.3.4, 9.2.6 and 9.1.9

https://splunk.my.site.com/customer/s/article/Splunk-vulnerability-libcurl-7-32-0-8-9-1-DoS-CVE-2024...

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...