=====================================================================

                                  CERT-Renater

                     Note d'Information No. 2024/VULN079
_____________________________________________________________________

DATE                : 02/02/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Splunk Add-on Builder versions
                                  prior to 4.1.4.

=====================================================================
https://advisory.splunk.com/advisories/SVD-2024-0110
https://advisory.splunk.com/advisories/SVD-2024-0111
https://advisory.splunk.com/advisories/SVD-2024-0112
_____________________________________________________________________

Session Token Disclosure to Internal Log Files in Splunk Add-on
Builder

Advisory ID: SVD-2024-0110

CVE ID: CVE-2023-46231

Published: 2024-01-30

Last Update: 2024-01-30

CVSSv3.1 Score: 8.8, High

CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-532

Bug ID: ADDON-63902


Description

In Splunk Add-on Builder versions below 4.1.4, the application writes
user session tokens to internal log files.The vulnerability requires
either local access to the log files or administrative access to
internal indexes, which by default only the admin role receives.
Review roles and capabilities on your instance and restrict internal 
index access to administrator-level roles. See Define roles on the
Splunk platform with capabilities for more information.


Solution

To fully remedy the vulnerability, do the following:

     Upgrade Splunk Add-on Builder to version 4.1.4 or higher
     Delete all Splunk Add-on Builder log files located at 
$SPLUNK_HOME/var/log/splunk/ including the following:
         splunk_app_addon-builder_default_metric_events.log
         splunk_app_addon-builder_ta_builder_validation.log
         splunk_app_addon-builder_ta_builder.log
         splunk_app_addon-builder_validation_engine.log
     Delete all Splunk Add-on Builder log file events by running the 
following command:*
     index=_* sourcetype="splunk:tabuilder:log" | delete
     Restart Splunk Enterprise*

*Note: Restarting Splunk Enterprise invalidates all session tokens.

**Note: The delete command requires the can_delete role, which
administrators do not receive by default. See delete for more
info on the delete search command.

The solution applies to the Splunk Add-on Builder only. Add-ons that
the Splunk Add-on Builder generates are not directly affected
and do not require updating or editing.


Product Status
Product	Version	Component	Affected Version	Fix Version
Splunk Add-on Builder	-	Add-on Builder	Below 4.1.4	4.1.4


Mitigations and Workarounds

N/A
Severity

Splunk rates this vulnerability as a 8.8, High, with a CVSSv3.1
vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H.

The vulnerability requires either local access to the log files
or administrative access to internal indexes, which by default
only the admin role receives. Review roles and capabilities on
your instance and restrict internal index access to
administrator-level roles. See Define roles on the Splunk
platform with capabilities for more information.


Acknowledgments

Vikram Ashtaputre, Splunk

     Email RSS Feed Support

© 2005 - 2024 Splunk Inc. All rights reserved.
Legal     Privacy     Website Terms of Use

_____________________________________________________________________

Sensitive Information Disclosure to Internal Log Files in Splunk
Add-on Builder

Advisory ID: SVD-2024-0111

CVE ID: CVE-2023-46230

Published: 2024-01-30

Last Update: 2024-01-30

CVSSv3.1 Score: 8.2, High

CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L

CWE: CWE-532

Bug ID: ADDON-63640


Description

In Splunk Add-on Builder versions below 4.1.4, the add-on
builderwrites sensitive information to internal log files.
When you edit custom app and add-on properties, the app writes
potentially sensitive data to its log files, including the
following:

     Proxy credentials
     Global Account credentials
     User-defined password fields under Data Input Parameters
     User defined Password fields under Add-on Setup Parameters

The vulnerability requires either local access to the log files
or administrative access to internal indexes, which by default
only the admin role receives. See Define roles on the Splunk
platform with capabilities for more information.

The application logs sensitive values used by custom apps and
add-ons. Within the scope of Add-on Builder, the confidentiality
impact is High. However, the Integrity and Availability rating
reflects a potentially unknown impact. Where possible,
reevaluate the potential impact based on the permissions of
the third-party credentials and passwords you use.


Solution

To fully remedy the vulnerability, do the following:

     Upgrade Splunk Add-on Builder to version 4.1.4 or higher
     Delete all Splunk Add-on Builder log files located at 
$SPLUNK_HOME/var/log/splunk/ including the following:
         splunk_app_addon-builder_default_metric_events.log
         splunk_app_addon-builder_ta_builder_validation.log
         splunk_app_addon-builder_ta_builder.log
         splunk_app_addon-builder_validation_engine.log
     Delete all Splunk Add-on Builder log file events by running the
following command:*
     index=_* sourcetype="splunk:tabuilder:log" | delete
     Restart Splunk Enterprise
     Rotate and change all credentials, tokens, and sensitive
information stored in Data Input Parameters and Add-on Setup
Parameters for Modular inputs, including the following:
         Proxy credentials
         Global Account credentials
         User-defined Password fields under Data Input Parameters
         User-defined Password fields under Add-on Setup Parameters

*Note: The delete command requires the can_delete role, which
administrators do not receive by default. See delete for more
info on the delete search command.

The solution applies to the Splunk Add-on Builder only. Add-ons
that the Splunk Add-on Builder generates are not directly
affected and do not require updating or editing.


Product Status

Product  Version    Component    Affected Version    Fix Version
Splunk Add-on Builder	-   Add-on Builder   Below 4.1.4   4.1.4


Mitigations and Workarounds

N/A
Severity

Splunk rates this vulnerability as a 8.2, High, with a CVSSv3.1
vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L.

The vulnerability requires either local access to the log files
or administrative access to internal indexes, which by default
only the admin role receives. Review roles and capabilities on
your instance and restrict internal index access to
administrator-level roles. See Define roles on the Splunk
platform with capabilities for more information.

The application logs sensitive values used by custom apps and
add-ons. Within the scope of Add-on Builder, the confidentiality
impact is High. However, the Integrity and Availability rating
reflects a potentially unknown impact. Where possible,
reevaluate the potential impact based on the permissions of the
third-party credentials and passwords you use.


Acknowledgments

Vikram Ashtaputre, Splunk
_____________________________________________________________________

Third-Party Package Updates in Splunk Add-on Builder - January 2024

Advisory ID: SVD-2024-0112

CVE ID:  Multiple

Published: 2024-01-30

Last Update: 2024-01-30


Description

Splunk remedied common vulnerabilities and exposures (CVEs) in
Third-Party Packages in Splunk Add-on Builder version 4.1.4,
including the following:

Package    Remediation    CVE      Severity
requests   Upgraded to 2.31.0   CVE-2023-32681   Medium
semver     Upgraded to 5.7.2    CVE-2022-25883   High


Solution

For Splunk Add-on Builder, upgrade to version 4.1.4.

Splunk Add-on Builder replicates the requests Python HTTP
library to custom apps and add-ons. After you upgrade
Splunk Add-on Builder, review the following additional
information if you use Add-on Builder to edit custom
apps or add-ons:
     1. Use Add-on Builder to edit and save the affected
app. See the Add-on Builder documentation for more
information.
     2. Restart Splunk Enterprise

If the custom app or add-on is also installed on instances
without Add-on Builder, you must package the upgraded custom
app or add-on, then install it on the instances. See Validate
and Package and Package apps for more information.

For affected apps and add-ons that are already on SplunkBase, as
a third-party developer, you must publish an updated version of
the app or add-on to SplunkBase. For more information, see
Publish apps for Splunk Cloud Platform or Splunk Enterprise to
Splunkbase. Cloud-vetted apps are subject to the Cloud Vetting
Change Policy.

Note: The Splunk Add-on Builder does not replicate the semver
(Semantic Version parser) library to custom apps and add-ons.


Product Status

Product    Version   Component   Affected Version  Fix Version
Splunk Add-on Builder	-	-	Below 4.1.4	4.1.4
Severity

For the CVEs in this list, Splunk adopted the national vulnerability
database (NVD) common vulnerability scoring system (CVSS) rating to
align with industry standards.

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================