Splunk on Monday announced patches for 16 vulnerabilities in Splunk Enterprise and Cloud Platform, including six high-severity bugs.
Three of the high-severity issues are remote code execution flaws that require authentication for successful exploitation.
The first of them, tracked as CVE-2024-36985, could be exploited by a low-privileged user through a lookup that likely references the ‘splunk_archiver’ application. The issue affects Splunk Enterprise versions 9.2.x, 9.1.x, and 9.0.x.
Splunk Enterprise versions 9.2.2, 9.1.5, and 9.0.10 address the vulnerability. The bug can also be mitigated by disabling the ‘splunk_archiver’ application.
Impacting Splunk Enterprise for Windows and tracked as CVE-2024-36984, the second RCE bug allows an authenticated attacker to execute a crafted query to serialize untrusted data and execute arbitrary code.
“The exploit requires the use of the collect SPL command which writes a file within the Splunk Enterprise installation. The attacker could then use this file to submit a serialized payload that could result in execution of code within the payload,” Splunk notes.
The third RCE affects the dashboard PDF generation component in the Enterprise and Cloud Platform products, which uses a vulnerable version of the ReportLab Toolkit (v3.6.1) Python library.
Splunk also patched a high-severity command injection flaw in the Enterprise and Cloud Platform products that could allow an authenticated user to create an external lookup calling to a legacy internal function and insert code in the Splunk platform’s installation directory.
“The vulnerability revolves around the currently-deprecated ‘runshellscript’ command that scripted alert actions use. This command, along with external command lookups, lets an authenticated user use this vulnerability to inject and execute commands within a privileged context from the Splunk platform instance,” Splunk explains.
The remaining high-severity bugs include a path traversal in Splunk Enterprise on Windows and a denial-of-service in the Enterprise and Cloud Platform products.
The remaining fixes that Splunk released on Monday address medium-severity flaws impacting the Enterprise and Cloud Platform products.
Splunk makes no mention of any of these vulnerabilities being exploited in the wild. Additional information can be found on Splunk’s security advisories page.
On Monday, the company also announced patches for nearly two dozen issues in third-party packages in Splunk Enterprise and notified users of Splunk Enterprise on Linux and Universal Forwarder on Solaris that, in certain versions and architectures, the cryptographic library for OpenSSL was incorrectly compiled.
Related: Splunk Patches Vulnerabilities in Enterprise Product
Related: High-Severity Vulnerability Patched in Splunk Enterprise
Related: Canon Patches 7 Critical Vulnerabilities in Small Office Printers
