A critical vulnerability identified has been discovered in the Splunk Secure Gateway app, affecting various versions of Splunk Enterprise and the Splunk Cloud Platform.
The vulnerability tracked as CVE-2024-53247 with a CVSS score of 8.8.
The affected versions include:
- Splunk Enterprise versions below 9.3.2, 9.2.4, and 9.1.7
- Splunk Secure Gateway app versions below 3.2.461 and 3.7.13 on the Splunk Cloud Platform
It allows a low-privileged user who does not hold the “admin” or “power” Splunk roles to execute arbitrary code on the vulnerable systems. The flaw is due to unsafe deserialization of data, stemming from insecure usage of the jsonpickle Python library. Attackers can exploit this vulnerability to perform Remote Code Execution (RCE) without needing elevated privileges.
Splunk has released patches and updates. It is strongly recommended that users upgrade their Splunk Enterprise installations to versions 9.3.2, 9.2.4, 9.1.7, or higher. For users of the Splunk Cloud Platform, Splunk is actively monitoring and patching affected instances.
As a temporary mitigation measure, users who do not rely on Splunk Mobile, Spacebridge, or Mission Control functionalities can disable or remove the Splunk Secure Gateway app. However, it is important to note that disabling these features may affect their functionality.
This discovery highlights the ongoing need for regular security updates and proactive vulnerability management. Organizations using Splunk Enterprise or Splunk Cloud Platform should review their systems and apply the necessary patches immediately to protect against potential exploits.
