Solved: Can you clarify Vulnerability report SPL-144192?

chriswilkes33 · ‎11-30-2017

Vulnerability report SPL-144192 seems to have contradicting data in it. It begins by talking about being vulnerable to this specific thing when running init or control scripts as a root user, but later in the report it mentions some specific conditions you must meet to be vulnerable, the first being run init scripts as non-root user.

Soooo...which is it?

How do I know if I'm vulnerable with such contradictory information?

I don't have enough karma points to post links apparently, even to splunks own web servers, but Ive attempted below to post a link in case it lets me...

splunk.com/view/SP-CAAAP3M#MitigationandUpgrades

harsmarvania57 · ‎12-01-2017

Hi @chriswilkes33,

Before you go through below content, please consider below configuration for Redhat only and I am considering that splunk is running as splunk user, command or configuration might change for different version of OS. 😛

After Splunk version 6.1, splunk changed init script which you created by root user using command $SPLUNK_HOME/bin/splunk enable boot-start –user <user>

So /etc/init.d/splunk script includes command like for start, stop, restart and status

      "/opt/splunkforwarder/bin/splunk" start --no-prompt --answer-yes
      "/opt/splunkforwarder/bin/splunk" stop
      "/opt/splunkforwarder/bin/splunk" restart
      "/opt/splunkforwarder/bin/splunk" status

However before Splunk version 6.1 when you created /etc/init.d/splunk using command $SPLUNK_HOME/bin/splunk enable boot-start –user <user> by root user at that start, stop, restart and status command looke like below

  /bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" start --no-prompt --answer-yes"
  /bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" stop "
  /bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" restart "
  /bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" status "

Now whether you are affected or not, you need to check 2 things

If $SPLUNK_HOME/etc/splunk-launch.conf contains SPLUNK_OS_USER=<user> line

And you created init script after splunk version 6.1, using command $SPLUNK_HOME/bin/splunk enable boot-start –user <user> by root user, which contains command as below

      "/opt/splunkforwarder/bin/splunk" start --no-prompt --answer-yes
      "/opt/splunkforwarder/bin/splunk" stop
      "/opt/splunkforwarder/bin/splunk" restart
      "/opt/splunkforwarder/bin/splunk" status

If you satisfy both the condition then you are affected.
Mitigation is you need to change those command to look like this

su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" start --no-prompt --answer-yes"
su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" stop "
su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" restart "
su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" status "

I hope this clears.

Thanks,
Harshil

View solution in original post

harsmarvania57 · ‎12-01-2017

Hi @chriswilkes33,

Before you go through below content, please consider below configuration for Redhat only and I am considering that splunk is running as splunk user, command or configuration might change for different version of OS. 😛

After Splunk version 6.1, splunk changed init script which you created by root user using command $SPLUNK_HOME/bin/splunk enable boot-start –user <user>

So /etc/init.d/splunk script includes command like for start, stop, restart and status

      "/opt/splunkforwarder/bin/splunk" start --no-prompt --answer-yes
      "/opt/splunkforwarder/bin/splunk" stop
      "/opt/splunkforwarder/bin/splunk" restart
      "/opt/splunkforwarder/bin/splunk" status

However before Splunk version 6.1 when you created /etc/init.d/splunk using command $SPLUNK_HOME/bin/splunk enable boot-start –user <user> by root user at that start, stop, restart and status command looke like below

  /bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" start --no-prompt --answer-yes"
  /bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" stop "
  /bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" restart "
  /bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" status "

Now whether you are affected or not, you need to check 2 things

If $SPLUNK_HOME/etc/splunk-launch.conf contains SPLUNK_OS_USER=<user> line

And you created init script after splunk version 6.1, using command $SPLUNK_HOME/bin/splunk enable boot-start –user <user> by root user, which contains command as below

      "/opt/splunkforwarder/bin/splunk" start --no-prompt --answer-yes
      "/opt/splunkforwarder/bin/splunk" stop
      "/opt/splunkforwarder/bin/splunk" restart
      "/opt/splunkforwarder/bin/splunk" status

If you satisfy both the condition then you are affected.
Mitigation is you need to change those command to look like this

su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" start --no-prompt --answer-yes"
su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" stop "
su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" restart "
su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" status "

I hope this clears.

Thanks,
Harshil

chriswilkes33 · ‎12-04-2017

Thanks for the explanation. Makes sense.

DATEVeG · ‎12-04-2017

Thanks! That sounds reasonable.

Will there be a proper solution by splunk for this problem?

harsmarvania57 · ‎12-04-2017

As of now splunk suggested to update /etc/init.d/splunk as per answer given by me.

Can you clarify Vulnerability report SPL-144192?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation