Splunk has discovered a vulnerability that allows unauthenticated log injection, which could enable malicious actors to run harmful code on the system.
Splunk SOAR (Security Orchestration, Automation, and Response) is an application that can be used to automate repetitive tasks and respond to security incidents rapidly, which leads to higher productivity. It can also be used to automate responses using playbooks from one interface.
The vulnerability exists in the Splunk SOAR which also requires a terminal application capable of translating ANSI escape codes. In addition, the terminal also must have required permission to exploit this vulnerability.
CVE-2023-3997: Unauthenticated Log Injection In Splunk SOAR
A threat actor can exploit this vulnerability by sending a malicious web request to an endpoint in the SOAR. When a terminal user attempts to view the poisoned logs, it results in a malicious code execution in the system. The CVSS Score for this vulnerability is given as 8.6 (High).
This vulnerability however depends on the permissions of the terminal users that attempt to read the log file. If the malicious log file is copied and read on a local machine, then the local machine is affected instead of the instance.
Affected Products and Fixed Versions
|Product||Version||Component||Affected Version||Fix Version|
|Splunk SOAR (On-premises)||6.1||SOAR||6.0.1 and below||6.1.0|
|Splunk SOAR (Cloud)||SOAR||18.104.22.168902 and lower||22.214.171.124|
Splunk has released a security advisory for this vulnerability which has multiple information regarding the attack vector, complexity, privileges, scope, and user interaction.
Users of Splunk SOAR are recommended to upgrade to the latest versions to prevent this vulnerability from getting exploited by threat actors.