CVE-2022-32152

Splunk Enterprise lacked TLS cert validation for Splunk-to-Splunk communication by default

Severity Score

7.2

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Splunk Enterprise peers in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203 did not validate the TLS certificates during Splunk-to-Splunk communications by default. Splunk peer communications configured properly with valid certificates were not vulnerable. However, an attacker with administrator credentials could add a peer without a valid certificate and connections from misconfigured nodes without valid certificates did not fail by default. For Splunk Enterprise, update to Splunk Enterprise version 9.0 and Configure TLS host name validation for Splunk-to-Splunk communications (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation) to enable the remediation.

Los peers de Splunk Enterprise en Splunk Enterprise versiones anteriores a 9.0 y Splunk Cloud Platform versiones anteriores a 8.2.2203 no comprueban los certificados TLS durante las comunicaciones de Splunk a Splunk por defecto. Las comunicaciones entre pares de Splunk configuradas apropiadamente con certificados válidos no eran vulnerables. Sin embargo, un atacante con credenciales de administrador podía añadir un peer sin un certificado válido y las conexiones desde nodos configurados inapropiadamente sin certificados válidos no fallaban por defecto. Para Splunk Enterprise, actualice a versión 9.0 de Splunk Enterprise y configure la comprobación del nombre de host TLS para las comunicaciones entre Splunk (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation) para habilitar la corrección

*Credits: Chris Green at Splunk

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-05-31 CVE Reserved
2022-06-15 CVE Published
2024-04-30 EPSS Updated
2024-09-17 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-295: Improper Certificate Validation

CAPEC

References (7)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation	2022-06-24
https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/Updates	2022-06-24
https://research.splunk.com/application/splunk_digital_certificates_infrastructure_version	2022-06-24
https://research.splunk.com/application/splunk_digital_certificates_lack_of_encryption	2022-06-24
https://research.splunk.com/application/splunk_protocol_impersonation_weak_encryption_selfsigned	2022-06-24
https://research.splunk.com/network/splunk_identified_ssl_tls_certificates	2022-06-24
https://www.splunk.com/en_us/product-security/announcements/svd-2022-0602.html	2022-06-24

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Splunk Search vendor "Splunk"		Splunk Search vendor "Splunk" for product "Splunk"				< 9.0 Search vendor "Splunk" for product "Splunk" and version " < 9.0"		enterprise		Affected
Splunk Search vendor "Splunk"		Splunk Cloud Platform Search vendor "Splunk" for product "Splunk Cloud Platform"				< 8.2.2203 Search vendor "Splunk" for product "Splunk Cloud Platform" and version " < 8.2.2203"		-		Affected