CVE-2024-36997
📋 TL;DR
This vulnerability allows an admin user in Splunk Enterprise and Splunk Cloud Platform to store and execute arbitrary JavaScript code in other users' browsers through the conf-web/settings REST endpoint. This creates a persistent cross-site scripting (XSS) attack vector. Affected users include all Splunk users on vulnerable versions below 9.2.2, 9.1.5, 9.0.10, or Splunk Cloud Platform below 9.1.2312.
💻 Affected Systems
- Splunk Enterprise
- Splunk Cloud Platform
📦 What is this software?
Splunk by Splunk
Splunk by Splunk
Splunk by Splunk
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin privileges could execute malicious JavaScript in all users' browsers, potentially stealing session cookies, performing actions as other users, or deploying malware.
Likely Case
Privileged insider or compromised admin account could target specific users for credential theft or session hijacking.
If Mitigated
With proper access controls and admin account monitoring, impact is limited to authorized administrative actions.
🎯 Exploit Status
Exploitation requires admin-level access to the Splunk instance. The vulnerability is in the conf-web/settings REST endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Splunk Enterprise 9.2.2, 9.1.5, 9.0.10; Splunk Cloud Platform 9.1.2312 or later
Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2024-0717
Restart Required: Yes
Instructions:
1. Backup your Splunk configuration and data. 2. Download the appropriate patch from Splunk's website. 3. Stop Splunk services. 4. Apply the patch following Splunk's upgrade documentation. 5. Restart Splunk services. 6. Verify the version is updated.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit administrative privileges to only essential personnel and implement strict access controls.
Monitor Admin Activities
allEnable detailed logging of admin actions, particularly to the conf-web/settings endpoint.
🧯 If You Can't Patch
- Implement strict principle of least privilege for admin accounts and monitor all admin activities.
- Use web application firewalls (WAF) to detect and block XSS payloads targeting the conf-web/settings endpoint.
🔍 How to Verify
Check if Vulnerable:
Check Splunk version via web interface or CLI. If version is below 9.2.2, 9.1.5, or 9.0.10 for Enterprise, or below 9.1.2312 for Cloud Platform, the system is vulnerable.Check Version:
On Splunk server: splunk versionVerify Fix Applied:
After patching, verify the version is at or above the fixed versions. Test admin functionality to ensure no regression.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /servicesNS/-/-/conf-web/settings
- Admin user modifying web settings with JavaScript content
Network Indicators:
- HTTP requests to conf-web/settings endpoint containing script tags or JavaScript code
SIEM Query:
index=_internal source=*web_access.log (uri="/servicesNS/-/-/conf-web/settings" AND method=POST) | search *script* OR *javascript*