Splunk has been reported with a Unauthenticated Log injection vulnerability in the Splunk IT Service Intelligence (ITSI) product. This vulnerability exists in Splunk ITSI versions prior to 4.13.3 or 4.15.3.
Splunk ITSI is an Artificial Intelligence Operations (AIOps) powered monitoring and analytics solution that provides users with visibility about the health of critical IT and business services and their infrastructure.
CVE-2023-4571: Unauthenticated Log Injection in Splunk IT Service Intelligence (ITSI)
This vulnerability can be exploited by a threat actor by injecting an American National Standard Institute (ANSI) escape code inside the Splunk ITSI log files that can run malicious code in the vulnerable application if a vulnerable terminal application reads it.
However, this vulnerability requires user interactions to be performed. The user must read the malicious log file using a terminal application that translates the ANSI escape codes in the vulnerable terminal.
This vulnerability can be exploited by threat actors to perform malicious actions like copying the malicious file from Splunk ITSI and reading it on their local machine.
The impact of this vulnerability on Splunk ITSI can vary depending upon the permission in the vulnerable terminal application. The CVSS score for this vulnerability has been given as 8.6 (High).
As per the security advisory, Splunk has requested its users to upgrade to version 4.13.3 or 4.15.3 to patch this vulnerability. However, logs prior to the upgrade might still be at risk. To mitigate this, users are recommended to
- Remove existing ITSI log files in $SPLUNK_HOME/var/log/splunk/ or $SPLUNK_HOME/var/run/splunk/dispatch//itsi_search.log
- In the case of Windows, the log files are present in %SPLUNK_HOME%\var\log\splunk and %SPLUNK_HOME%\var\run\splunk\dispatch\\itsi_search.log, which must be removed.
|Product||Version||Component||Affected Version||Fix Version|
|Splunk ITSI||4.13||–||4.13.0 to 4.13.2||4.13.3|
|Splunk ITSI||4.15||–||4.15.0 to 4.15.2||4.15.3|
Users of Splunk ITSI are recommended to upgrade to the latest version to fix this vulnerability and follow the mitigation steps provided. Organizations are getting targeted by multiple threat actors from different perspectives.
It is high time to take precautionary actions against all the identified vulnerabilities and patch them accordingly to prevent any disastrous events.