Info

Disclosure

Sep 04, 2012

Discovery

Jul 27, 2012

Dates

Exploit

Sep 04, 2012

Solution

Unknown

Description

Splunk has been reported to contain a flaw in the data preview functionality. Using this function, a remote authenticated attacker can gain access to all system files including /etc/shadow and other sensitive configuration files. However, this vulnerability not only requires administrative authentication, but only manifests if the installation is done against Splunk's posted guidelines for helping ensure a more secure deployment. The functionality in question is designed to allow access to the underlying operating system with the same privileges as the running process.

Classification

Location: Remote / Network Access
Attack Type: Information Disclosure, Misconfiguration
Impact: Loss of Confidentiality
Solution: Upgrade
Exploit: Exploit Public
Disclosure: Vendor Disputed
OSVDB: Authentication Required, Myth / Fake

Solution

Despite the vendor saying it is not a vulnerability, an upgrade to version 4.3.4 or higher appears to fix this issue. An upgrade is required as there are no known workarounds.

Products

Splunk

4.3.3

References

Security Tracker: 1027476
Exploit Database: 21053
Generic Informational URL: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Hardeningstandards
http://docs.splunk.com/Documentation/Splunk/latest/installation/RunSplunkasadifferentornon-rootuser
Vendor URL: http://www.splunk.com/

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/85824