CVE-2024-36983 – This vulnerability allows authenticated users i... (How to Fix)

Q: What is the severity of CVE-2024-36983?

CVE-2024-36983 has a CVSS score of 8.0 (HIGH). This vulnerability allows authenticated users in Splunk Enterprise and Cloud Platform to create external lookups that call legacy internal functions, enabling them to insert and execute arbitrary code on the Splunk instance. It affects Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, and Splunk Cloud Platform versions below specific builds. Attackers need authenticated access to exploit this vulnerability.

📋 TL;DR

This vulnerability allows authenticated users in Splunk Enterprise and Cloud Platform to create external lookups that call legacy internal functions, enabling them to insert and execute arbitrary code on the Splunk instance. It affects Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, and Splunk Cloud Platform versions below specific builds. Attackers need authenticated access to exploit this vulnerability.

💻 Affected Systems

Products:

Splunk Enterprise
Splunk Cloud Platform

Versions: Splunk Enterprise: below 9.2.2, 9.1.5, 9.0.10; Splunk Cloud Platform: below 9.1.2312.109 and 9.1.2308.207

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access; affects both on-premises and cloud deployments.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated malicious user gains full control of the Splunk instance, potentially compromising the entire Splunk deployment and accessing sensitive data.

🟠

Likely Case

Privilege escalation leading to unauthorized code execution within the Splunk environment, potentially affecting other systems.

🟢

If Mitigated

Limited impact with proper authentication controls and monitoring, but still poses risk from insider threats.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access and knowledge of Splunk's external lookup functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Splunk Enterprise: 9.2.2, 9.1.5, 9.0.10; Splunk Cloud Platform: 9.1.2312.109, 9.1.2308.207

Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2024-0703

Restart Required: Yes

Instructions:

1. Backup your Splunk configuration and data. 2. Download the appropriate patch from Splunk's website. 3. Stop Splunk services. 4. Apply the patch following Splunk's upgrade documentation. 5. Restart Splunk services. 6. Verify the upgrade was successful.

🔧 Temporary Workarounds

Restrict External Lookup Creation

all

Limit which users can create external lookups through Splunk's role-based access controls.

Configure Splunk roles to remove 'edit_lookups' capability from non-admin users

🧯 If You Can't Patch

Implement strict access controls to limit authenticated user privileges
Monitor for suspicious external lookup creation and execution

🔍 How to Verify

Check if Vulnerable:

Check Splunk version via web interface or command line; compare against affected versions.

Check Version:

On Splunk instance: $SPLUNK_HOME/bin/splunk version

Verify Fix Applied:

Verify Splunk version is at or above patched versions after upgrade.

📡 Detection & Monitoring

Log Indicators:

Unusual external lookup creation events
Suspicious file writes to Splunk installation directory

Network Indicators:

Unexpected outbound connections from Splunk instance

SIEM Query:

index=_audit action=edit_lookups | search user!=admin

📊 Metadata

CVE ID: CVE-2024-36983

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: July 1, 2024

Last Updated: March 7, 2025

🔗 References

https://advisory.splunk.com/advisories/SVD-2024-0703 Vendor Advisory
https://research.splunk.com/application/1cf58ae1-9177-40b8-a26c-8966040f11ae/ Tool Signature
https://advisory.splunk.com/advisories/SVD-2024-0703 Vendor Advisory
https://research.splunk.com/application/1cf58ae1-9177-40b8-a26c-8966040f11ae/ Tool Signature

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36983, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Splunk by Splunk

Splunk by Splunk

Splunk by Splunk

Splunk Cloud Platform by Splunk

Splunk Cloud Platform by Splunk

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict External Lookup Creation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities