Login Sign Up

CVE-2021-3422

7.5 HIGH
Denial of Service

📋 TL;DR

A lack of validation in the Splunk-to-Splunk protocol allows attackers to cause denial-of-service in vulnerable Splunk Enterprise instances. This affects Splunk Enterprise versions before 7.3.9, 8.0.9, and 8.1.3 when configured to index Universal Forwarder traffic. Universal Forwarders themselves are not vulnerable.

💻 Affected Systems

Products:
  • Splunk Enterprise
Versions: Versions before 7.3.9, 8.0 versions before 8.0.9, 8.1 versions before 8.1.3
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Splunk Enterprise instances configured to index Universal Forwarder traffic. Universal Forwarders are not vulnerable.

📦 What is this software?

Splunk by Splunk

View all CVEs affecting Splunk →

Splunk by Splunk

View all CVEs affecting Splunk →

Splunk by Splunk

View all CVEs affecting Splunk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial-of-service of Splunk Enterprise indexers, disrupting log collection, monitoring, and security operations.

🟠

Likely Case

Service disruption requiring restart of affected Splunk Enterprise instances, potentially causing data loss or gaps in monitoring.

🟢

If Mitigated

Medium severity impact requiring compromise of TLS certificates or tokens to exploit when proper security controls are implemented.

🌐 Internet-Facing: MEDIUM - Requires TLS/token compromise for internet-facing instances, but DoS impact could be significant.
🏢 Internal Only: HIGH - Internal attackers or compromised systems could exploit this without certificate/token compromise in default configurations.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to Splunk Enterprise indexers. When TLS or tokens are used, attacker must compromise these credentials first.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.3.9, 8.0.9, or 8.1.3

Vendor Advisory: https://www.splunk.com/en_us/product-security/announcements/svd-2022-0301.html

Restart Required: Yes

Instructions:

1. Download appropriate patch version from Splunk downloads portal. 2. Backup current installation. 3. Stop Splunk services. 4. Install patch. 5. Restart Splunk services. 6. Verify version and functionality.

🔧 Temporary Workarounds

Enable TLS for Splunk-to-Splunk communication

all

Configure TLS encryption between forwarders and indexers to require certificate compromise for exploitation

splunk enable listen 9997 -auth admin:changeme

Implement token authentication

all

Configure token-based authentication for forwarder-to-indexer communication

splunk edit user admin -password newpassword -auth admin:changeme

🧯 If You Can't Patch

  • Implement both TLS encryption and token authentication for all Splunk-to-Splunk communications
  • Restrict network access to Splunk Enterprise indexers to trusted forwarders only using firewall rules

🔍 How to Verify

Check if Vulnerable:

Check Splunk version: splunk version. If version is before 7.3.9, 8.0.9, or 8.1.3 and configured to receive Universal Forwarder traffic, system is vulnerable.

Check Version:

splunk version

Verify Fix Applied:

Verify version is 7.3.9, 8.0.9, 8.1.3 or later using splunk version command and test forwarder connectivity.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected service crashes in splunkd.log
  • Connection resets in splunkd_access.log
  • Failed forwarder connections

Network Indicators:

  • Unusual traffic patterns to Splunk indexer ports (default 9997)
  • Malformed packets to Splunk services

SIEM Query:

index=_internal source=*splunkd.log ("crash" OR "segmentation fault" OR "abnormal termination") AND ("forwarder" OR "s2s")

📊 Metadata

CVE ID: CVE-2021-3422
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-125
Published: March 25, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3422, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)