Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is Splunk Enterprise 9.4.0 (build 6b4ebe426ca6) affected by CVE-2024-7264?

StephenD1
Path Finder
‎01-30-2025 10:03 AM

I have Splunk Enterprise 9.4.0 (build 6b4ebe426ca6) installed. 

My security team flagged a possible vuln on /opt/splunk/opt/mongo/lib/libcurl.so.4.8.0 related to CVE-2024-7264, which apparently affects libcurl versions between 7.32.0 and prior to 8.9.1. I ran both the following commands

 

splunk cmd curl --version

splunk cmd mongodb --version

 

and confirmed the libcurl version is affected. The relevant results were:

Curl:

 

curl 7.61.1 ... libcurl/7.61.1 ...

 

Mongod:

 

mongod: /opt/splunk/lib/libcrypto.so.10: no version information available (required by mongod)
mongod: /opt/splunk/lib/libcrypto.so.10: no version information available (required by mongod)
mongod: /opt/splunk/lib/libcrypto.so.10: no version information available (required by mongod)
mongod: /opt/splunk/lib/libssl.so.10: no version information available (required by mongod)
db version v7.0.14
Build Info: {
    "version": "7.0.14",
    ...
}

 

  

How do I go about disabling Mongod (if possible)?

Alternatively, is there any info on whether this will be addressed in a future update or if this is relevant at all for Splunk Enterprise?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

asimit
Path Finder
‎05-16-2025 03:02 AM

Hi @StephenD1 ,


Yes, Splunk Enterprise 9.4.0 (build 6b4ebe426ca6) is affected by CVE-2024-7264. This vulnerability affects libcurl versions between 7.32.0 and prior to 8.9.1, and as you confirmed, your installation includes libcurl 7.61.1, which falls within this range.

## Official Fix
According to the latest information:
- The Splunk fix is identified as SPL-270280
- The fix has been included in Splunk Enterprise 9.4.2
- The fix has also been backported to supported older versions: 9.3.4, 9.2.6, and 9.1.9

## Recommended Actions

### Option 1: Upgrade to a Patched Version
The most comprehensive solution is to upgrade to one of the fixed versions:
- Splunk Enterprise 9.4.2 (preferred for your current version)
- Or one of the other patched versions (9.3.4, 9.2.6, or 9.1.9)

### Option 2: Disable KVStore (MongoDB) Temporarily
If you cannot upgrade immediately, you can consider disabling the KVStore service, which uses MongoDB:

1. Check if any critical apps depend on KVStore:
```
splunk list kvstore -collections
```

2. Disable KVStore:
```
splunk disable kvstore
splunk restart
```

3. Verify MongoDB is no longer running:
```
ps -ef | grep mongo
```

Note that disabling KVStore will impact any apps that rely on it, including:
- Enterprise Security
- ITSI
- Splunk App for Infrastructure
- Some custom apps that use KVStore collections

### Option 3: Mitigate Risk Through Network Controls
If you can't upgrade or disable KVStore:
- Ensure MongoDB is properly configured to only listen on localhost
- Implement additional network controls to restrict access to the MongoDB port (typically 8191)
- Monitor for potential exploitation attempts

## Additional Information
You can find more details in the Splunk article regarding this vulnerability:
https://splunk.my.site.com/customer/s/article/Splunk-vulnerability-libcurl-7-32-0-8-9-1-DoS-CVE-2024...

The CVE-2024-7264 is a denial-of-service vulnerability in libcurl that could allow a malicious server to cause a denial of service by sending specially crafted responses that trigger excessive memory consumption.

## Long-term Recommendation
For a more permanent solution, plan to upgrade to the patched version as soon as your change management process allows. This is especially important if you have internet-facing Splunk components that might be vulnerable to this exploitation vector.

Please give 👍 for support 😁 happly splunking .... 😎

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

asimit
Path Finder
‎05-16-2025 03:02 AM

Hi @StephenD1 ,


Yes, Splunk Enterprise 9.4.0 (build 6b4ebe426ca6) is affected by CVE-2024-7264. This vulnerability affects libcurl versions between 7.32.0 and prior to 8.9.1, and as you confirmed, your installation includes libcurl 7.61.1, which falls within this range.

## Official Fix
According to the latest information:
- The Splunk fix is identified as SPL-270280
- The fix has been included in Splunk Enterprise 9.4.2
- The fix has also been backported to supported older versions: 9.3.4, 9.2.6, and 9.1.9

## Recommended Actions

### Option 1: Upgrade to a Patched Version
The most comprehensive solution is to upgrade to one of the fixed versions:
- Splunk Enterprise 9.4.2 (preferred for your current version)
- Or one of the other patched versions (9.3.4, 9.2.6, or 9.1.9)

### Option 2: Disable KVStore (MongoDB) Temporarily
If you cannot upgrade immediately, you can consider disabling the KVStore service, which uses MongoDB:

1. Check if any critical apps depend on KVStore:
```
splunk list kvstore -collections
```

2. Disable KVStore:
```
splunk disable kvstore
splunk restart
```

3. Verify MongoDB is no longer running:
```
ps -ef | grep mongo
```

Note that disabling KVStore will impact any apps that rely on it, including:
- Enterprise Security
- ITSI
- Splunk App for Infrastructure
- Some custom apps that use KVStore collections

### Option 3: Mitigate Risk Through Network Controls
If you can't upgrade or disable KVStore:
- Ensure MongoDB is properly configured to only listen on localhost
- Implement additional network controls to restrict access to the MongoDB port (typically 8191)
- Monitor for potential exploitation attempts

## Additional Information
You can find more details in the Splunk article regarding this vulnerability:
https://splunk.my.site.com/customer/s/article/Splunk-vulnerability-libcurl-7-32-0-8-9-1-DoS-CVE-2024...

The CVE-2024-7264 is a denial-of-service vulnerability in libcurl that could allow a malicious server to cause a denial of service by sending specially crafted responses that trigger excessive memory consumption.

## Long-term Recommendation
For a more permanent solution, plan to upgrade to the patched version as soon as your change management process allows. This is especially important if you have internet-facing Splunk components that might be vulnerable to this exploitation vector.

Please give 👍 for support 😁 happly splunking .... 😎

0 Karma
Reply
Solved! Jump to solution

jrubio
Engager
‎04-07-2025 05:20 AM

Was there any answer to this? I have the same CVE pop up on my scan and want to find a fix/workaround for it. thanks!

0 Karma
Reply
Solved! Jump to solution

bendeloitte
New Member
‎05-15-2025 03:24 PM

The Splunk fix is known as SPL-270280.  A fix has been included in the latest version 9.4.2 and backported to supported versions of older releases  9.3.4, 9.2.6 and 9.1.9

https://splunk.my.site.com/customer/s/article/Splunk-vulnerability-libcurl-7-32-0-8-9-1-DoS-CVE-2024...

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...