Nadim Taha

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 8.1.10.1 Splunk Enterprise versions prior to 8.2.6.1 Splunk Enterprise versions prior to 9.0 **Description** The issue is related to inadequate access control in Splunk Enterprise deployment servers, allowing an attacker who has compromised a Universal Forwarder endpoint to execute arbitrary code on other Universal Forwarder endpoints subscribed to the deployment server. This can be done by deploying forwarder bundles to other deployment clients through the deployment server. **Recommendations** For versions prior to 8.1.10.1, update to version 8.1.10.1 or later. For versions prior to 8.2.6.1, update to version 8.2.6.1 or later. For versions prior to 9.0, update to version 9.0 or later.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 9.0 **Description** The issue is related to the lack of an authentication procedure in Splunk Enterprise deployment servers, allowing unauthenticated downloading of forwarder bundles. This can potentially enable a remote attacker to elevate their privileges. Remediation requires updating the deployment server to version 9.0 and configuring authentication for deployment servers and clients. Once enabled, deployment servers can only manage Universal Forwarder versions 9.0 and higher. Although Universal Forwarders are not directly affected, updating them to version 9.0 or higher is necessary prior to enabling the remediation. **Recommendations** Update the deployment server to version 9.0. Configure authentication for deployment servers and clients. Update all Universal Forwarders managed by the deployment server to version 9.0 or higher prior to enabling the remediation.