CVE-2021-3422

The lack of validation of a key-value field in the Splunk-to-Splunk protocol results in a denial-of-service in Splunk Enterprise instances configured to index Universal Forwarder traffic. The vulnerability impacts Splunk Enterprise versions before 7.3.9, 8.0 versions before 8.0.9, and 8.1 versions before 8.1.3. It does not impact Universal Forwarders. When Splunk forwarding is secured using TLS or a Token, the attack requires compromising the certificate or token, or both. Implementation of either or both reduces the severity to Medium.

Published: Mar 25, 2022
Updated: Apr 14, 2023
CVE: CVE-2021-3422
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:N/A:P

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
splunk / splunk	8.1	8.1.3
splunk / splunk	8.0	8.0.9
splunk / splunk	-	7.3.9

https://claroty.com/2022/03/24/blog-research-locking-down-splunk-enterprise-indexers-and-forwarders/
https://www.splunk.com/en_us/product-security/announcements/svd-2022-0301.html

Vulnerability Database

289,697

CVE-2021-3422