forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathsplunk_information_disclosure.yml
More file actions
49 lines (46 loc) · 2.46 KB
/
splunk_information_disclosure.yml
File metadata and controls
49 lines (46 loc) · 2.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
category:
- Vulnerability
channel: ESCU
creation_date: '2018-06-14'
description: Reduce the risk of CVE-2018-11409, an information disclosure vulnerability
within some older versions of Splunk Enterprise, with searches designed to help
ensure that your Splunk system does not leak information to authenticated users.
detections:
- detection_id: f6a26b7b-7e80-4963-a9a8-d836e7534ebd
name: Splunk Enterprise Information Disclosure
type: splunk
id: 1fc34cbc-34e9-43ba-87ab-6811c9e95400
maintainers:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
modification_date: '2018-06-14'
name: Splunk Enterprise Vulnerability CVE-2018-11409
narrative: 'Although there have been no reports of it being exploited, Splunk Enterprise
versions through 7.0.1 reportedly have a vulnerability that may expose information
through a REST endpoint (read more here: https://www.splunk.com/view/SP-CAAAP5E#VulnerabilityDescriptionsandRatings).
NIST has included it in its vulnerability database (read more here: https://nvd.nist.gov/vuln/detail/CVE-2018-11409).
The REST endpoint that exposes system information is also necessary for the proper
operation of Splunk clustering and instrumentation. Customers should upgrade to
the latest version to reduce the risk of this vulnerability.\
Splunk Enterprise exposes partial information about the host operating system, hardware,
and Splunk license. Splunk Enterprise before 6.6.0 exposes this information without
authentication. Splunk Enterprise 6.6.0 and later exposes this information only
to authenticated Splunk users. Based on the information exposure, Splunk characterizes
this issue as a low severity impact.\
Read more in Splunk''s official response: https://www.splunk.com/view/SP-CAAAP5E#VulnerabilityDescriptionsandRatings.\
A detection search within this Analytic Story looks for vulnerabilities described
in CVE-2018-11409: Information Exposure (https://nvd.nist.gov/vuln/detail/CVE-2018-11409).
If it turns up activities that may be specific, you can use the included investigative
searches to return information regarding web activity and network traffic by src_ip.'
original_authors:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
references:
- https://nvd.nist.gov/vuln/detail/CVE-2018-11409
- https://www.splunk.com/view/SP-CAAAP5E#VulnerabilityDescriptionsandRatings
- https://www.exploit-db.com/exploits/44865/
spec_version: 2
usecase: Security Monitoring
version: '1.0'