SB2024101547 - Splunk Enterprise update for third-party components
Published: October 15, 2024 Updated: January 31, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 50 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2023-45284)
The vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to the IsLocal() function from the path/filepath package does not correctly detect reserved device names in some cases when executed on Windows. Reserved names followed by spaces, such as "COM1 ", and reserved names
"COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly
reported as local. A local user can abuse such behavior and bypass implemented security restrictions.
2) Reachable Assertion (CVE-ID: CVE-2021-27212)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion when processing LDAP packets within the issuerAndThisUpdateCheck() function in schema_init.c. A remote attacker can send a specially crafted packet with a short timestamp to the slapd and perform a denial of service (DoS) attack.
3) Improper Initialization (CVE-ID: CVE-2017-14159)
The vulnerability allows a local authenticated user to perform a denial of service (DoS) attack.
slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill `cat /pathname`" command, as demonstrated by openldap-initscript.
4) Stack-based buffer overflow (CVE-ID: CVE-2017-17740)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to a boundary error шт contrib/slapd-modules/nops/nops.c when both the nops module and the memberof overlay are enabled. A remote unauthenticated attacker can trigger stack-based buffer overflow and cause slapd crash via a member MODDN operation.
5) Improper Authorization (CVE-ID: CVE-2019-13057)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to incorrect processing of rootDN delegation in the OpenLDAP multi-tenant deployments. A database administrator could use this issue to request authorization as an identity from another database, contrary to expectations.
6) Improper Authorization (CVE-ID: CVE-2019-13565)
7) Resource exhaustion (CVE-ID: CVE-2023-45288)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single HTTP/2 stream. A remote attacker can send specially crafted HTTP/2 requests to the server and perform a denial of service (DoS) attack.8) Resource exhaustion (CVE-ID: CVE-2023-39325)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to excessive consumption of internal resources when handling HTTP/2 requests. A remote attacker can bypass the http2.Server.MaxConcurrentStreams setting by creating new connections while the current connections are still being processed, trigger resource exhaustion and perform a denial of service (DoS) attack.
9) Input validation error (CVE-ID: CVE-2024-24790)
The vulnerability allows a remote attacker to modify application behavior.
The vulnerability exists due to improper handling of IPv4-mapped IPv6 addresses in net/netip within multiple methods, e.g. IsPrivate, IsLoopback. The affected methods return false for addresses which would return true in their traditional IPv4 forms, leading to potential bypass of implemented security features.
10) Cross-site scripting (CVE-ID: CVE-2023-39318)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within the html/template package when handling HMTL-like "<!--" and "-->" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. A remote attacker can pass specially crafted input to the application and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
11) Missing Encryption of Sensitive Data (CVE-ID: CVE-2023-45285)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to a fallback to insecure git. Using "go get" to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. OPROXY=off).
12) Input validation error (CVE-ID: CVE-2023-45283)
The vulnerability allows a local user to bypass implemented security restrictions.
13) Integer underflow (CVE-ID: CVE-2020-36228)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer underflow when processing the certificate list exact assertion. A remote attacker can send a specially crafted request to the slapd, trigger integer underflow and perform a denial of service (DoS) attack.
14) Resource exhaustion (CVE-ID: CVE-2023-39326)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP chunked requests. A remote attacker can send specially crafted HTTP requests to the server and consume excessive memory resources.
15) Cross-site scripting (CVE-ID: CVE-2023-39319)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists within the html/template package caused by improperly applied rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. A remote attacker can pass specially crafted input to the application and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
16) Input validation error (CVE-ID: CVE-2023-26125)
The vulnerability allows a remote attacker to poison application's cache.
The vulnerability exists due to insufficient validation of user-supplied input when processing X-Forwarded-Prefix header. A remote attacker can pass send specially crafted request to the application and perform cache poisoning.
17) Download of code without integrity check (CVE-ID: CVE-2023-29401)
The vulnerability allows a remote attacker to modify data on the system.
The vulnerability exists due to software does not perform software integrity check when downloading updates. A remote attacker with ability to perform man-in-the-middle (MitM) attack can supply a malicious software image and modify data on the system.
18) Cross-site scripting (CVE-ID: CVE-2023-3978)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
19) Resource exhaustion (CVE-ID: CVE-2023-50658)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can pass a large p2c value to the application, trigger excessive CPU consumption and perform a denial of service (DoS) attack.
20) Input validation error (CVE-ID: CVE-2023-39323)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input when processing line directives (e.g. "//line") in the code. A remote attacker can bypass restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build".
21) Input validation error (CVE-ID: CVE-2023-39322)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in crypto/tls when processing post-handshake message on QUIC connections. A remote attacker can send an incomplete post-handshake message for a QUIC connection and perform a denial of service (DoS) attack.
22) Input validation error (CVE-ID: CVE-2023-39321)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in crypto/tls when processing post-handshake message on QUIC connections. A remote attacker can send an incomplete post-handshake message for a QUIC connection and perform a denial of service (DoS) attack.
23) Code Injection (CVE-ID: CVE-2023-39320)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation within the go.mod toolchain directive. A remote attacker can execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.
24) Reachable Assertion (CVE-ID: CVE-2020-36230)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion when parsing the X.509 DN within the ber_next_element() function in decode.c. A remote attacker can send a specially crafted request to slapd and perform a denial of service (DoS) attack.
25) Infinite loop (CVE-ID: CVE-2020-36227)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in slapd with the cancel_extop Cancel operation. A remote attacker can send a specially crafted request and perform a denial of service conditions.
26) Information disclosure (CVE-ID: CVE-2023-45803)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to urllib3 does not remove the HTTP request body when redirecting HTTP response using status codes 301, 302, or 303, after the request had its method changed from one that could accept a request body (e.g. from POST to GET). A remote attacker can gain access to potentially sensitive information.
27) Inadequate encryption strength (CVE-ID: CVE-2023-48795)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to incorrect implementation of the SSH Binary Packet Protocol (BPP), which mishandles the handshake phase and the use of sequence numbers. A remote attacker can perform MitM attack and delete the SSH2_MSG_EXT_INFO message sent before authentication starts, allowing the attacker to disable a subset of the keystroke timing obfuscation features introduced in OpenSSH 9.5.
The vulnerability was dubbed "Terrapin attack" and it affects both client and server implementations.
28) Information disclosure (CVE-ID: CVE-2023-43804)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to urllib does not strip the "Cookie" HTTP header during cross-origin HTTP redirects. A remote attacker can gain unauthorized access to sensitive information.
29) Information disclosure (CVE-ID: CVE-2024-37891)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to Prox-Authorization header is not stripped during cross-origin redirects when using urllib3's proxy support with ProxyManager. A remote attacker can gain obtain proxy credentials used by the library.
30) Security features bypass (CVE-ID: CVE-2024-35195)
The vulnerability allows a local user to compromise the target system.
The vulnerability exists due to the session object does not verify requests after making first request with verify=False. A local administrator can bypass authentication.
31) Incorrect Regular Expression (CVE-ID: CVE-2022-42969)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in Subversion repository caused by a mishandled InfoSvnCommand argument. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
32) SQL injection (CVE-ID: CVE-2022-29155)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the experimental back-sql backend to slapd during an LDAP search operation when the search filter is processed. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
33) NULL pointer dereference (CVE-ID: CVE-2023-2953)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error within the ber_memalloc_x() function. A remote attacker can send specially crafted data to the application and perform a denial of service (DoS) attack.
34) Input validation error (CVE-ID: CVE-2015-3276)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input within the nss_parse_ciphers() function in libraries/libldap/tls_m.c when parsing OpenSSL-style multi-keyword mode cipher strings. A remote attacker can pass force the application to use a weaker than intended cipher.
35) Resource exhaustion (CVE-ID: CVE-2024-28180)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when decompressing JWE with Decrypt or DecryptMulti. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
36) Infinite loop (CVE-ID: CVE-2024-24786)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when parsing data in an invalid JSON format within the protojson.Unmarshal() function. A remote attacker can consume all available system resources and cause denial of service conditions.
37) Resource exhaustion (CVE-ID: CVE-2023-44487)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improperly control of consumption for internal resources when handling HTTP/2 requests with compressed HEADERS frames. A remote attacker can send a sequence of compressed HEADERS frames followed by RST_STREAM frames and perform a denial of service (DoS) attack, a.k.a. "Rapid Reset".
Note, the vulnerability is being actively exploited in the wild.
38) Resource exhaustion (CVE-ID: CVE-2023-47108)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to grpc Unary Server Interceptor does not properly control consumption of internal resources when processing multiple requests. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
39) Resource management error (CVE-ID: CVE-2020-36226)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application leading to a memch->bv_len miscalculation during saslAuthzTo processing. A remote attacker can send specially crafted request to the slapd and perform a denial of service (DoS) attack.
40) Resource exhaustion (CVE-ID: CVE-2023-45142)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect processing of HTTP header User-Agent and HTTP method. A remote attacker can send multiple requests with long randomly generated HTTP methods or/and User agents and consume memory resources, leading to a denial of service condition.41) Insufficient verification of data authenticity (CVE-ID: CVE-2024-24557)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient verification of data authenticity. A remote attacker can poison victim´s cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps.
42) Resource management error (CVE-ID: CVE-2020-12243)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error when performing searches with nested boolean expressions in filter.c within the slapd daemon in OpenLDAP. A remote attacker can send a specially crafted LDAP request to the affected server and crash the LDAP service.
43) Improper Certificate Validation (CVE-ID: CVE-2020-15719)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to improper certificate validation in libldap. A remote attacker can perform MitM attack.
44) NULL pointer dereference (CVE-ID: CVE-2020-25692)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in slapd normalization handling with modrdn. A remote non-authenticated attacker can send specially crafted packet to the slapd daemon and perform a denial of service (DoS) attack.
45) Reachable Assertion (CVE-ID: CVE-2020-36222)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion in slapd in the saslAuthzTo validation. A remote attacker can send a specially crafted request and perform a denial of service (DoS) attack.
46) Double Free (CVE-ID: CVE-2020-36223)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error during the Values Return Filter control handling. A remote attacker can send a specially crafted request to the slapd, trigger a double free error and perform a denial of service (DoS) attack.
47) Integer underflow (CVE-ID: CVE-2020-36221)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer underflow within the serialNumberAndIssuerCheck() function in schema_init.c. A remote attacker can send a specially crafted request to the affected application, trigger an integer underflow and crash the slapd.
48) Release of invalid pointer or reference (CVE-ID: CVE-2020-36224)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to release of an invalid pointer when processing saslAuthzTo requests. A remote attacker can send a specially crafted request to slapd and perform a denial of service (DoS) attack.
49) Double Free (CVE-ID: CVE-2020-36225)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in the saslAuthzTo processing. A remote attacker can send a specially crafted request to the slapd, trigger a double free error and perform a denial of service (DoS) attack
50) Type Confusion (CVE-ID: CVE-2020-36229)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a type confusion error in ldap_X509dn2bv when parsing X.509 DN in ad_keystring. A remote attacker can send a specially crafted request to slapd and crash it.
Remediation
Install update from vendor's website.