Splunk Releases Critical Update
Splunk released an emergency patch this week, addressing a critical vulnerability that could lead to arbitrary code execution. The vulnerability, CVE-2022-32158, has a CVSS score of 9.0. An attacker taking advantage of the flaw could execute code on endpoints connected to a particular deployment server. Splunk released patches only for Splunk 9.0; users of older versions need to upgrade to 9.0 to patch.
If you're on Splunk 9.0, you will need to apply the patch. Due to the newness of the patch, you may wish to wait for any updates/issues to be squared away, If you're doing that, you need to disable the deployment server unless you're actively using it to deploy configuration updates. The ISC blog below has details on this approach. If you're not on Splunk 9.0, time to roll up your sleeves and get that update going.
This does not impact Splunk Cloud users, so relevant to a bit more than half of Splunk customers. SaaS vendors have a simpler patching issue than IaaS vendors, but in procurement very important to ask about and evaluate the vendors patch time commitments, their use of external Cloud Service Providers and DoS protection as well as broader security processes and controls. Like many security software vendors, Splunk is seeing it cloud business grow more than twice as fast as on-premises deployments. But margins (profit on sales) are still lower for cloud sales vs. on-premise. Important to keep the pressure on all security vendors to make sure cloud security of their own offering is Job 1, even as they look to constrain costs to improve cloud profit.