Splunk has released security updates that address multiple vulnerabilities in Splunk Enterprise, including a critical vulnerability that could lead to arbitrary code execution. Splunk is a SIEM (Security Information and Event Management) solution that collects logs from various sources, stores (indexes) the collected logs, and provides search, research, analysis, and correlation on the stored logs.
The security vulnerability tracked as CVE-2022-32158 occurs because the Splunk Enterprise deployment servers prior to version 9.0 allow clients to manipulate the server to distribute the message packets to other clients. A threat actor who compromises a Universal Forwarder endpoint could exploit this vulnerability to execute arbitrary code on all other Universal Forwarder endpoints that subscribe to the distribution server. x is used to collect data from endpoint systems. When the data we want to collect is not directly available on the server where Splunk is installed, the Splunk Universal Forwarder (UF) can be installed on your remote endpoint servers and used to forward the data back to Splunk for indexing.
In addition to the vulnerability, Splunk also announced that it fixed several critical vulnerabilities in Splunk Enterprise, including a bug where distribution servers in versions prior to 9.0 allowed forwarder packets to be downloaded without authentication (CVE-2022-32157). Splunk has resolved the issue by releasing Enterprise distribution server version 9.0. Splunk users are advised to upgrade vulnerable installations to the newly released version immediately.