Splunk has released a slew of security updates to address multiple vulnerabilities in Splunk Enterprise and Splunk Cloud Platform. These vulnerabilities range in severity, with some enabling remote code execution (RCE) and others allowing low-privileged users to access sensitive information.
The high severity vulnerabilities among the packs are CVE-2024-45731 and CVE-2024-45733, both of which could allow attackers to execute code on vulnerable systems remotely.
- CVE-2024-45731 specifically impacts Windows installations where Splunk Enterprise is installed on a separate disk. By exploiting, an attacker could write a malicious DLL file to the Windows system root directory, potentially leading to complete system compromise.
- CVE-2024-45733 stems from insecure session storage configuration and affects Splunk Enterprise for Windows versions below 9.2.3 and 9.1.6.
Other vulnerabilities
- CVE-2024-45732 allows these users to run searches as the “nobody” user within the SplunkDeploymentServerConfig app, potentially exposing restricted data.
- CVE-2024-45734 allows View images on the host machine
- CVE-2024-45735 allows access sensitive configuration data in the Splunk Secure Gateway App
- CVE-2024-45736 will crash the Splunk daemon
- CVE-2024-45737 will manipulate the maintenance mode state of App Key Value Store
- CVE-2024-45738 and CVE-2024-45739 will enable sensitive information disclosure
- CVE-2024-45740 and CVE-2024-45741 Cross site scripting
Splunk has released updates to address these vulnerabilities and strongly advises all users to upgrade to the latest Splunk Enterprise and Splunk Cloud Platform versions. The company also provides mitigation and workaround strategies for those who cannot immediately update.
For more details refer to the Splunk Security Advisories
