A proof of concept (PoC) exploit has been publicly disclosed for a high severity flaw that could lead to remote code execution in Splunk Enterprise (CVE-2023-46214).
Users are encouraged to quickly apply any patches or workarounds provided.
About CVE-2023-46214
Splunk Enterprise is a data analysis and visualization platform. Splunk is a tool for extracting valuable information from large data sets and is often used to index and query data from log files, event logs, text files, and other data sources to generate useful insights to improve IT operations and more.
CVE-2023-46214 is due to Splunk Enterprise's failure to securely sanitize user-supplied extensible style sheet language transforms (XSLT).
“This means an attacker could install malicious XSLT on a Splunk Enterprise instance that could cause remote code execution,” the company said.
According to the advisory, CVE-2023-46214 affects Splunk Enterprise versions 9.0.0 through 9.0.6 and 9.1.0 through 9.1.1. This also affects Splunk v8.x, which is no longer supported, says Bojan Zdrnja, IT security expert and SANS ISC lead.
Splunk Cloud versions below 9.1.2308 are also affected. “Splunk is actively monitoring and patching Splunk Cloud Platform instances,” the company added.
CVE-2023-46214 PoC and Mitigation
A vulnerability researcher has published a detailed analysis of CVE-2023-46214 and compiled the steps required for exploitation into a Python script. If certain prerequisites are met, the script should open a remote command prompt.
The attack can be performed remotely but requires prior authentication (knowledge of valid credentials) and some user interaction.
Administrators are advised to upgrade their instances to versions 9.0.7 and 9.1.2, or if unable to upgrade, to limit the ability of search job requests to accept XML style sheet language (XSL) as valid input (by changing the web.conf file configuration).
“For earlier versions of Splunk Enterprise, review the web.conf specification for availability of the activeSearchJobXslt setting,” Splunk advised.
