Splunk recently announced a couple of vulnerabilities in Splunk Enterprise.  The vulnerability in Splunk’s widely used Deployment Server is worth a little follow-up now we have more information and practical experience.

Vendor Security Announcement – https://www.splunk.com/en_us/product-security/announcements/svd-2022-0608.html

After initially releasing some fixes for this issue in the newly released feature update, version 9.0.0, Splunk have now added fixes in  2.6.1 – release notes and 2.7 – release notes

This will allow users of recent versions of Splunk v8 to patch their systems without making the move to version 9.0.0.

Note:  At the time of writing, 4^th July 2022, we are not aware of any active exploitation of this vulnerability.

Our Hands-on Experience

In a recent article, we talked about some of our hands-on experience addressing this vulnerability through a version 9.0.0 upgrade –

Some organisations have run into specific issues in their environments in with v9.0.  A full and maintained list of the known issues with version 9.0 can be found here.

Organisations planning to address this issue through a full version upgrade would benefit from reviewing this list to ensure they aren’t likely to be affected by any of the already known issues.

Mitigation

It is often the case with security vulnerabilities that mitigation of the vulnerability in some way other than upgrading the software (for example, changing configuration, or disabling components) is a short to medium term fix.

If you’ve yet to apply any of the software updates, one possible solution mentioned in some articles is to disable the deployment server whilst it’s not needed, and re-enable it in the short term.

Whilst this does create an administrative burden, it does provide some protection if an exploit emerges rapidly, or under the radar.