Login Sign Up

CVE-2022-32156

8.1 HIGH

📋 TL;DR

Splunk Enterprise and Universal Forwarder versions before 9.0 do not validate TLS certificates by default when the CLI connects to remote Splunk instances. This allows machine-in-the-middle attackers to intercept and potentially manipulate communications between Splunk components. Only on-premises Splunk deployments are affected, not Splunk Cloud Platform.

💻 Affected Systems

Products:
  • Splunk Enterprise
  • Splunk Universal Forwarder
Versions: All versions before 9.0
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects CLI connections to remote Splunk instances. Splunk Cloud Platform is not affected.

📦 What is this software?

Splunk by Splunk

View all CVEs affecting Splunk →

Universal Forwarder by Splunk

View all CVEs affecting Universal Forwarder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could intercept sensitive Splunk data, inject malicious commands, or steal credentials during CLI communications with remote Splunk instances.

🟠

Likely Case

In targeted attacks, attackers could intercept configuration data or administrative commands between Splunk components in environments with existing network access.

🟢

If Mitigated

With proper TLS certificate validation enabled, all CLI communications are authenticated and encrypted, preventing interception.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: HIGH

Requires machine-in-the-middle position and specific conditions. No evidence of external exploitation at time of disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.0 or later

Vendor Advisory: https://www.splunk.com/en_us/product-security/announcements/svd-2022-0606.html

Restart Required: Yes

Instructions:

1. Upgrade to Splunk 9.0 or later. 2. Enable TLS certificate validation by setting 'cliVerifyServerName = true' in server.conf. 3. Restart Splunk services.

🔧 Temporary Workarounds

Enable TLS certificate validation manually

all

Configure Splunk to validate TLS certificates for CLI connections without upgrading

Edit $SPLUNK_HOME/etc/system/local/server.conf
Add: [general]
Add: cliVerifyServerName = true
Restart Splunk

🧯 If You Can't Patch

  • Restrict network access to Splunk CLI communications using firewalls or network segmentation
  • Monitor for unusual network traffic patterns between Splunk components

🔍 How to Verify

Check if Vulnerable:

Check Splunk version and verify if 'cliVerifyServerName' is set to true in server.conf

Check Version:

$SPLUNK_HOME/bin/splunk version

Verify Fix Applied:

Confirm version is 9.0+ and 'cliVerifyServerName = true' is present in server.conf

📡 Detection & Monitoring

Log Indicators:

  • Failed TLS certificate validation errors in splunkd.log
  • Unusual CLI connection patterns

Network Indicators:

  • Unencrypted or unexpected TLS handshakes between Splunk instances
  • MITM attack patterns in network traffic

SIEM Query:

source="*splunkd.log" "certificate" "validation" "failed" OR "cliVerifyServerName"

📊 Metadata

CVE ID: CVE-2022-32156
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-295
Published: June 15, 2022
Last Updated: February 25, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-32156, you might also want to check these:

CVE-2025-68121 10.0

This vulnerability in Go's crypto/tls package allows TLS session resumption to succeed when it shoul...

Same vulnerability type (CWE-295)
CVE-2024-5261 9.8

LibreOfficeKit mode in LibreOffice versions before 24.2.4 disables TLS certificate verification when...

Same vulnerability type (CWE-295)
CVE-2023-51837 9.8

MeshCentral 1.1.16 fails to properly validate SSL certificates when establishing connections, allowi...

Same vulnerability type (CWE-295)