CVE-2022-32155

moderate-risk
Published 2022-06-15

In universal forwarder versions before 9.0, management services are available remotely by default. When not required, it introduces a potential exposure, but it is not a vulnerability. If exposed, we recommend each customer assess the potential severity specific to your environment. In 9.0, the universal forwarder now binds the management port to localhost preventing remote logins by default. If management services are not required in versions before 9.0, set disableDefaultPort = true in server.conf OR allowRemoteLogin = never in server.conf OR mgmtHostPort = localhost in web.conf. See Configure universal forwarder management security (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation#Configure_universal_forwarder_management_security) for more information on disabling the remote management services.

Do I need to act?

-
0.43% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Splunk

References (6)

Mitigation https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnam...
Release Notes https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/Updates
Vendor Advisory https://www.splunk.com/en_us/product-security/announcements/svd-2022-0605.html
Mitigation https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnam...
Release Notes https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/Updates
Vendor Advisory https://www.splunk.com/en_us/product-security/announcements/svd-2022-0605.html
35
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 2/34 · Minimal
Exposure 7/34 · Low